TH EN JP
1.
Principles and Objectives of the Policy
Bangkok Chayoratn Co., Ltd. (“the Company”) has implemented this privacy policy in order to inform all of its customers and business partners of its measures regarding personal data information management which includes the collecting, using and disclosing of Personal Data in accordance with the Personal Data Protection Act B.E. 2562 (the “PDPA”). Such measures are based on effective and appropriate international standards on personal data protection procedures.
2.
Scope of Enforcement and Application of the Policy
The scope of enforcement and application of the Privacy Policy is in accordance with the PDPA and covers all processing of Personal Data (as defined in this policy) which is performed by the Company, as well as any person who comes into contact with Personal Data as it relates to the Company's operations and must therefore comply with this Privacy Policy and the legal framework.

With respect to Personal Data that has been collected prior to the introduction of the PDPA , the Company is permitted to continue collecting and using a Data Subject’s Personal Data for the initial purposes it was given for. Any disclosures and acts other than the collection and use of Personal Data must be in compliance with the PDPA.
3.
Definitions
“Privacy Policy” means the policy that the Company has established to make a Data Subject aware of the Company’s processing of their data and a number of other relevant issues as stipulated by the PDPA.
“Personal Data” means any information relating to an identifiable person, either directly or indirectly, but excluding the information of a deceased person in particular.
“Sensitive Data” means Personal Data relating to race, ethnicity, political opinion, belief, religion or philosophy, sexual orientation, criminal record, health information, disability, labour union information, genetic data, biological data, or any other data which may impact the Data Subject in a similar manner, as stipulated in the Personal Data Protection Committee’s announcements.
“Processing” means the collection, use, or disclosure of Personal Data.
“Data Subject” means an individual who is the owner of Personal Data.
“Data Controller” means another person or juristic person with power and duties to make a decision regarding the collection, use or disclosure of Personal Data.
“Data Processor” means a person or juristic person who processes, collects, uses or discloses Personal Data in accordance with an order of or on behalf of the Data Controller. The person or the juristic person engaging in those procedures is not the Data Controller.
“Cookies” means small, temporary files collecting personal data that it is necessary to install on the computer of the data subject only for convenience and facilitation of communication while gaining access to a website.
4.
Personal Data Collection
The Company’s collection of Personal Data on Data Subjects (such as specific personal information, information related to the personal life or personal interests, financial information, or sensitive personal information) shall be based on the following sources and principles:
  • Sources of Personal Data
    The Company may receive Personal Data from the following three (3) channels: :
    • Collection from the Data Subject; for example, the Company may collect Personal Data from a Data Subject by having them provide personal information in application forms, either in paper form or online, or via a Data Subject providing responses to surveys conducted by the Company, or via their access to the Company’s website using Cookies.
    • Collection from another company, juristic person or organization of which the Data Subject is a member or is related to, for the benefits of the Data Subjects e.g. an employer purchases insurance for the welfare of their employee, or a tour company purchases insurance for tourists which use its service.
    • Collection from sources other than the Data Subject, for example, searches for Personal Data via a website or inquiries made by third parties including an insurance broker or agent. In such case, the Company will notify the Data Subject of the collection of their Personal Data without delay, but in any case not more than 30 (thirty) days from the date that the Company collects the Personal Data from such sources, and shall request consent from the Data Subject to collect their Personal Data, except where exempted by law from the need to request consent from or notify the Data Subject.
    Examples of data that the Company may collect are as follows:
    • Personal information: name, date of birth, nationality, ID card number or passport number, driving license, or other identifiable government documents, and details of family member(s).
    • Contact information: email address, phone number, and fax number.
    • Work history: professional status, position.
    • Information on use of websites: username and password for use of online services and applications, IP address information.
    • Information on use of cookies.
    • Data from marketing surveys: data analysis, marketing statistics of data subjects.
    • Sensitive information: information on religion, health, criminal history.
    • Information on asset including devices and locations of devices, registered documents such as car registration.
    • CCTV footage.
    • Financial information, Credit Card.
  • Principles of Personal Data Collection:
    The Company will only collect Personal Data that is necessary for the operations of the Company for the following purposes:
    • To enter into an agreement and comply with an agreement between the Company and a Data Subject.
    • To verify identity or investigate an individual before providing services or entering into an agreement with the Company as required by the Office of Anti-Money Laundering.
    • To provide service to customers in respect of marketing and claim assistance service including analysis and statistics.
    • To develop and improve the Company's products to better respond to the needs of customers.
    • To provide information about products and services or conduct PR/marketing campaigns.
    • To comply with laws relating to the operations of the Company such as the collection of Personal Data for the purpose of withholding tax, or to report to Office of Insurance Commission (OIC), or to make necessary documents as may be required by any governmental agency or organizations related thereto.
    • For the purposes of audit, analysis and preparation of documents as requested by other agencies or organizations that are involved with or may be relevant to the Company's business operations, such as the Bank of Thailand.
    If it is necessary for a Data Subject to provide their Personal Data for the purpose of entering into a contract or for any other purposes, and they refuse to give consent to the giving of their Personal Data, then it may affect a transaction or any other activities relating to the Data Subject, such affect may include the suspension or cessation of services as may be required by business operation or law, unless the Data Subject voluntarily consents to provide such data to the Company.
  • Consent and exceptions where Consent from the Data Subject is not Required ล
    The Company will collect and retain Personal Data only for as long as is necessary for the fulfilment of the Company’s purposes in accordance with applicable laws, with Data Subjects notified accordingly prior to or at the time of collection of their Personal Data. The Company shall obtain explicit consent from a Data Subject prior to or at the time of the collection of their Personal Data, except in the following circumstances, where the Company may collect Personal Data without requesting consent from the respective Data Owner.
    • To fulfill purposes relating to the preparation of historical documents or archives on public interest grounds or relating to research studies or statistics. In such cases the Company will implement appropriate security measures to protect the fundamental rights and freedoms of Data Subjects.
    • To prevent or to avoid danger to an individual’s life, body or health.
    • To comply with a contract, only to the extent that it is necessary to do so, to which the Data Subject is a party or in order to take steps requested by the Data Subject prior to entering into a contract.
    • To carry out tasks, only to the extent that it is necessary to do so, for the public interest or in the exercise of official authority vested in the Company.
    • For the purposes of legitimate interests pursued by the Company or by third parties or by other juristic persons, except where such interests are overridden by the fundamental rights and freedoms of Data Subjects.
    • To comply with laws such as the Credit Information Business Operation Act, B.E.2559, Civil and Commercial Code and Criminal Code.
  • Collection of Sensitive Data When collecting Sensitive Data, the Company shall obtain explicit consent from the respective Data Subject prior to or at the time of collection, in accordance with the Company's rules and in compliance with applicable laws.
5.
Use and disclosure of Personal Data
The use and disclosure of personal data by the Company shall be in compliance with the purposes and principles stated in Section4.2 Principles of Personal Data Collection. The Company may disclose Personal Data to agencies or third parties with the consent of the Data Subject only to the extent that it is necessary to do so, unless such disclosure is permitted by law. Personal Data may be disclosed to third parties, organizations or government agencies as follows:
  • Affiliates or group companies of the Company;
  • Contractual parties, service providers and business partners of the Company such as companies in the insurance business, insurance agents or co-brokers, reinsurance companies both local and abroad;
  • Outside providers of services to the Company such as hospitals, surveyors, IT service providers;
  • Agencies responsible for credit information;
  • Banks;
  • Government agencies with legal authority such as the Anti-Money Laundering Office, the Office of the National Anti-Corruption Commission, the Office of the Narcotics Control Board, the Social Security Office, the Revenue Department, the Legal Execution Department and the Courts; and
  • Other agencies or organizations who are or may be involved in the business operations of the Company, such as the Bank of Thailand, Office of Insurance Commission (OIC)
6.
Retention Methods and Retention Period for Personal Data
The Company shall retain Personal Data either soft copy or hard copy format. The hard copy shall be stored in locked cabinet in the Company and the soft copy shall be stored in the secured server in the Company.
The duration for which the Company shall retain Personal Data will be either one of the following:
  • 6.1 Personal Data will be retained by the Company for the periods as stipulated by applicable laws that are specifically relevant to the retention of Personal Data such as the Accounting Act , Anti-Money Laundering Act, , Act on Commission of Offences Relating to Computer, and the Revenue Code;
  • 6.2 In cases where the retention period for Personal Data is not specified by relevant laws, the Company will determine the period necessary and appropriate for operation. At the end of such retention period, the Company shall delete, destroy, or anonymize the Personal Data.
7.
Transmission or transfer of personal data to other countries.
When the Company transmits or transfers Personal Data to another country (outside of Thailand), it shall take steps to ensure that the destination country has sufficient personal data protection standards.

However, in cases where that the destination country does not have sufficient personal data protection standards, the transmission or transfer of such personal information must comply with exceptions specified in the Company’s rules that are not in violation of the law.
8.
Data Analytics by Third Party
Google Analytics on our sites which include, but not limited to, our corporate websites. Google Analytics uses technologies such as cookies to help analyze users’ website experience. The information generated by the cookies about your use of Chayoratn’s website (such as your IP address, the URL visited, the date and time the page are viewed) will be transmitted and stored by Google on Google servers. Google will use such information to monitor the compile reports on website activities and provide other services related to website activities and Internet usage. Google may transfer this information to third parties where required by law, or where such third parties process information on Google’s behalf. For more information about Google’s privacy policy in respect of Google Analytics, please refer to http://www.google.com/analytics/learn/privacy.html . You may opt out of Google Analytics by using Google add-on at https://tools.google.com/dlpage/gaoptout?hl+en=GB .
9.
Privacy Policy of Other Websites
The Privacy Policy of the Company is applicable to our websites only. Some parts of our websites or applications may contain links to third party websites or services such as social networks, those websites may not operate under this Privacy Policy. We are not responsible of such third party websites and services or their privacy practices. You are advised to check the privacy policies on those websites or services to understand their policies on the collection, use, transfer and disclosure of personal data thoroughly.
10.
Rights of Data subjects
Data Subjects shall have the following rights available to them in accordance with the PDPA.
  • Right to withdraw consent: A Data Subject has the right to withdraw their consent for the processing of their Personal Data that they have given to the Company throughout the period in which their Personal Data is kept by the Company. However, such withdrawal will not affect the collection, usage and disclosure of Personal Data under which the previous consent was received.
  • Right of access: A Data Subject has the right to access their Personal Data and to request the Company to make a copy of such data. The Company shall comply within 30 days from its receipt of the request unless the Company is legally permitted to decline such request (for example the request is prohibited by law or by a valid court order).
  • Right to rectification: A Data Subjects has the right to request the Company to rectify incorrect or incomplete data such that it is correct, up-to-date, complete and not misleading.
  • Right to erasure: A Data Subjects has the right to request the Company to delete their Personal Data in certain circumstances such as where the Data Subject has withdrawn their consent to the collection, use or disclosure of their Personal Data and the Data Controller no longer has the power according to law to collect, use or disclose such Personal Data.
  • Right to restriction of processing: A Data Subject has the right to request the Company to restrict the use of their Personal Data for certain reasons such as where the gathering of Personal Information was done using an illegal practice etc.
  • Right to data portability: A Data Subjects has the right to transfer their Personal Data that they have provided to the Company to another Data Controller or to themselves for certain reasons except where the Personal Data is used to serve the public interest or where the Company is compelled by court order to keep such information or where the transfer of such Personal Data may violate the rights of others.
  • Right to object: A Data Subjects has the right to object to the processing of their Personal Data for certain reasons such as their Persona Data received using an illegal practice etc.
However, the Company may refuse the exercise of the above rights by the data subjects, provided that the rejection is in accordance with the Company’s rules that are not in violation of the law, especially when it is necessary to use the Personal Data in obtaining the right to exercise acclaim according to the law or to practice by law.

The Company shall provide a channel through which Data Subjects can contact the Company to make requests to exercise the above rights. In the event that the Company rejects a request, it shall notify the Data Subject of the reason for the rejection.

The Data Subject has the right to file a complaint if the Data Controller or the Data Processor, including its employees or service providers violates the PDPA, or notifications issued in accordance with the Act.
11.
Personal Data Security
The Company has established appropriate personal data security measures to prevent the loss of unauthorized and unlawful access to, and the use, modification, correction or disclosure of Personal Data in accordance with the Company's policies and procedures for information security.

If the Company engages an agency or a third party to perform work related to the collection, use or disclosure of Personal Data of Data Subjects, then it shall require such agency or the third party to keep the Personal Data confidential and secure, and to prevent the collection, use or disclosure of such Personal Data for any purposes other than as specified in the scope of engagement or for any unlawful purposes.
12.
Policy review and improvement
The Company shall review and update this Privacy Policy as and when it deems necessary in order to reflect the Company’s practices, regulations and relevant law. The Company reserves the right not to inform changes of this Privacy Policy to the Data Subjects individually but the Company will post up-dates of this Privacy Policy on its website as soon as possible after such change is made.
13.
Contact Channel
If a Data Subject has any questions about this Privacy Policy, or would like to exercise their right according to the PDPA, then they should contact :
Name : Bangkok Chayoratn Co., Ltd.
Address : 25 Bangkok Insurance/Y.W.C.A. Building, 10th Floor, South Sathorn Road, Tungmahamek, Sathorn, Bangkok. 10120
Contact Channel : Tel. : 02-2857575
Email : chayoratn@chayoratn.com
Details of the Company’s Data Protection Officer
Name : Ms. Siriporn Wisuthiareerak
Address : Bangkok Chayoratn Co., Ltd.
25 Bangkok Insurance/Y.W.C.A. Building, 10th Floor, South Sathorn Road, Tungmahamek, Sathorn, Bangkok. 10120
Contact Channel : Tel. : 02-2857590
Email : dpo@chayoratn.com