1. Introduction
TT Insurance Broker (Thailand) Co., Ltd. (the “Company”, ”we” , “us” or “our” in this privacy policy) is the non-life insurance brokerage and re-insurance company which is a subsidiary of Toyota Tsusho (Thailand) Co., Ltd and the Company is committed to offering a wide range of products in the non-life insurance business to meet the needs of both individual customers and group companies. Consistent with our Code of Conduct & Ethics, the Company will respect the privacy rights of Data Subject pertaining to Personal Data that the Company collects, uses, processes, stores, discloses and/or transfers on purposes of the business activities.
2. Purpose of this privacy policy
As a Data Subject, this privacy policy aims to give you information on the way of processing (including collection, use, storage, disclosure and transfer) (hereinafter referred to as “Processing” or “Process”) by the Company, as a data controller (or a data processor, where applicable), of your Personal Data.
For your information, Personal Data means any information relating to a natural person who is not a diseased person, which enables the identification of such natural person, whether directly or indirectly (and such natural person shall be “Data Subject”) .
Consistent with our Global Code of Conduct & Ethics, we will respect the rights to privacy of individuals and comply with the Personal Data Protection Act B.E. 2562 (A.D. 2019) (“PDPA”).
3. Personal Data Process
Personal Data means any information relating to Data Subject which directly or indirectly identifies such individual person such as first name, last name, address, date of birth, telephone number, photo, biometric data, including customer or supplier data, employee data, data of directors, shareholders, contractors, etc. It does not include data where the Data Subject is not or no longer identifiable (anonymous data).
• “Personal details and Identification” (e.g. first name, maiden name, last name, username or similar identifier, photo, marital status, title, career, date of birth, gender, age, residency, family status including family member information, house registration address, property information, visa, work permit, national identification card, passport, tax identification and other government-issued identification);
• “Personal information about your beneficiaries, your family members and/or dependents” (that you provided to us in any application, forms or other documents or in connection with your request, purchase, acceptance or use of our products or services, such as their names, addresses and contact details);
• “Contact Information” (e.g., billing address, delivery address, email address, telephone numbers and social media and electronic communication account);
• “Payment Information” (e.g., bank account and debit card or credit card details including receipts);
• “Personal Data necessary for Marketing and Communications” (e.g., your Personal Data allowing us to prepare or provide presentation and price comparison of insurance products, Policy renewal notification including for carrying our product publicity and performing services to you);
• “Products and Services Preferences” (e.g. preferred type of insurances, preferred price ranges, preferred insurance service providers);
• “Claim information” (e.g., insurance application, claim requests and claim information, details of products and services that have purchased with Company);
•“Insurance Policy information” (e.g., type of insurance policy, policy number, insurance premium amount, coverage limit according to the policy, payment details, payment method and payment history);
• “Purchases and Services History” (e.g., purchase information, details of services provided to you by the Company, previous insurance details and history);
• “Personal History” (e.g., educational background, transcript, academic degree, skills, qualifications, job history and any other information that might be necessary to judge your suitability to job role);
• “Security Data” (e.g., photograph and/or voice recording by means of closed circuit television (CCTV), photograph, footage, video, voice recording of conversations);
• “Technical Information” (e.g., IP address, cookies, accessed devices location while using Company’s website and/ or social media);
• “Sensitive Data” (e.g., information about health/medical records, health condition, health examination result, biometric data, disability, race, religion, blood type, vaccination record, criminal record)
Personal Data may be converted into statistical or aggregated data in such a way that you, as a Data Subject, will not be identified or identifiable from it and may be used for analytical and research purposes. In such case, it will no longer be your Personal Data.
4. How is Personal Data collected?
We collect your Personal Data including through the following ways:
• Direct collection: We collect Personal Data directly from you, as a Data Subject.
This includes when you fill in a designated form, electronic form and/or by corresponding with us by post, email or otherwise when you:
• requests information on our products or services;
• provides us with your business cards;
• places orders or makes requests for our products or services;
• gives us feedback or contact us; or
• applies to job roles and further take interview.
• Indirect collection: We may also collect your Personal Data from third parties such as the organization to which you belong, your beneficiaries, your family members, custodians, curators, persons acting your behalf and/or public sources to the extent that it is permitted under the PDPA and other applicable laws. This includes when a third party provides to us your Personal Data in any applications, forms or other documents in connection with your request, purchase, acceptance or use of our products or services.
5. How Company Process Personal Data
5.1 Legal grounds for lawful Processing of Personal Data Company will Process your Personal Data only when relevant laws and/or regulations (in particular, PDPA) allow us to do so.
When Company Process your Personal Data, as a data controller, we will rely on at least one of the legal grounds for lawful Processing (including, but not limited to the following applies):
• “Consent by Data Subject” (Processing Personal Data in the case where you have given consent to such processing for one or more specific purposes);
• “Performance of Contract” (Processing Personal Data in the case where it is necessary for the performance of a contract to which you are a party, or for taking steps at your request before entering into such a contract);
• “Compliance” (Processing Personal Data in the case where it is necessary for our compliance with a legal obligation to which the Company is subjected);
• “Vital Interest” (in the case where it is for preventing or suppressing a danger to a person’s life, body or health);
• “Legitimate Interests” (Processing Personal Data in the case where it will be in the legitimate interests of the Company to carry out its operation and management of its business for provision of most suitable services and/or products.)
Before processing your Personal Data under this Legitimate Interests ground, we will assess potential impacts (both positive and negative) on you and your rights and further make comparison between such impacts on you and the Company’s Legitimate Interests. We will not Process your Personal Data by relying on this Legitimate Interests ground if the adverse effect on you and your rights exceeds the Company's Legitimate Interest.
For Sensitive Data, in addition to the lawful basis mentioned above, we will process your Sensitive Data on the following basis:
・your explicit consent;
・Compliance with a law to achieve the purposes with respect to the assessment of working capacity of the employee, employment protection, social security, national health security, social health welfare of the entitled person by law or social protection;
・ Other public interests as permitted under the law.
Where we are a data processor, we will process your Personal Data on behalf of the data controller only for and to the extent of the performance of contract that we have with the data controller.
5.2 Purposes for Processing of Personal Data As a data controller, we have set out below, in a table format, a /description of typical (i) purposes for Processing of Personal Data, (ii) types of Personal Data and (iii) legal grounds for lawful Processing of Personal Data. (We may Process your Personal Data for more than one legal ground depending on the specific purpose for Processing of Personal Data. In addition to the purposes listed in the table below, please note that we may also Process your Personal Data for complying with legal obligations of the Company, for Legitimate Interests, or for Vital Interests as permitted by law.)
| วัPurposes for Processing of Personal Data | Types of Personal Data | Legal Grounds for Lawful Processing |
|---|---|---|
|
1. To register and verify identity of a new customer, supplier, or service provider before using (or providing) services or entering into a contract |
(a) Personal details and Identification (b) Contact Information (c) Personal information about your beneficiaries, your family members and/or dependents |
(a) Consent by Data Subject (b) Performance of Contract (c) Legitimate Interests (for business administration purpose) |
|
2. To supply (or procure) goods or provide (or receive) services appropriately including: (a) placing (or receiving) order; (b) delivery (or take delivery); (c) paying (or receiving) fees; (d) administration of debts and credits; and (e) providing (or receiving) services subject to Foreign Business License; (f) entering into a contract and fulfill the contract between companies with the data subject; (g) performing insurance services and insurance agent services |
(a) Personal details and Identification (b) Contact Information (c) Payment Information (d) Claim information (e) Insurance Policy Information (f) Sensitive Data (g) Personal information about your beneficiaries, your family members and/or dependents |
(a) Consent by Data Subject (b) Performance of Contract (c) Legitimate Interest (for fulfilling obligation of our business properly) |
|
3. To provide information about the products and services, product and price comparison, publicity of products and services, including reminder for renewal of insurance policy |
(a) Personal details and Identification (b) Contact Information (c) Personal Data necessary for Marketing and Communications (d) Products and Services Preferences (e) Purchases and Services History (f) Claim information (g) Insurance Policy Information (h) Sensitive Data |
(a) Consent by Data Subject (b) Performance of Contract (c) Compliance (d) Legitimate Interest (Response to requests or perform transactions contemplated in any document that submitted to Company;) |
|
4. To provide assistance and advice on claims process |
(a) Personal details and Identification (b) Contact Information (c) Payment Information (d) Claim information (e) Insurance Policy Information (f) Sensitive Data (g) Personal information about your beneficiaries, your family members and/or dependents |
(a) Consent by Data Subject (b) Performance of Contract (c) Compliance (d) Legitimate Interest (for fulfilling obligation of our business properly) |
|
5. To maintain relationship, ask for participate in a market and satisfaction surveys |
(a) Personal details and Identification (b) Contact Information (c) Payment Information (d) Claim information (e) Insurance Policy Information (f) Purchases and Services History |
(a) Consent by Data Subject (b) Legitimate Interest (for business administration and to develop the Company business for efficient service and meet the needs of customers to the extent as permitted by law) |
|
6. To administer and protect business and company website, social media and other online communication platform/channel (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) |
(a) Personal details and Identification (b) Contact Information (c) Technical information |
(a) Consent by Data Subject (b) Performance of Contract (c) Compliance (d) Legitimate Interest (for management and service on the website, social media and other online communication platform/channel, network security and for prevention of fraud) |
|
7. To manage human resource for the Company to make appropriate decision about recruitment and human resource management (including management of payment of salaries, compliance with employment contract and labour law, carrying out training session and welfare allocation) |
(a) Personal details and Identification (b) Contact Information (c) Payment Information (d) Personal History (f) Sensitive Data |
(a) Consent by Data Subject (b) Performance of Contract (c) Legitimate Interest (for recruiting individuals and to make sure there is no miss-matching of the job requirement and the applicant, for procuring proper human resource management) (d) Compliance (e) Vital Interest (f) Employment protection |
|
8. To implement security measure by controlling access to the office, to ensure our security of our employee and visitors, and to record and maintain records of photos images via closed circuit television (CCTV), photographs, footages and video |
(a) Personal details and Identification (b) Contact Information (c) Security Data |
(a) Performance of Contract (b) Compliance (c) Vital interest (d) Legitimate Interest (for securing safety of employee and our visitors) |
|
9. To investigate or address claims or disputes relating to business of the Company or satisfy requirements under applicable laws, regulations, or operating licenses. |
(a) Personal details and Identification (b) Contact Information (c) Payment Information (d) Personal History (e) Security data |
(a) Performance of Contract (b) Compliance (c) Legitimate Interest (for investigating and responding to claims and disputes relating to the business of the Company) |
Besides the above, where we are a data processor, we will process your Personal Data on behalf of the data controller for the purposes, in a manner and to the extent as engaged and instructed by the data controller only.
As a data controller, Company may collect and process Personal Data of a minor, incompetent person or quasi-incompetent person in accordance with the PDPA and other applicable laws. In case you are a minor, incompetent person or quasi-incompetent person, when we acquire your consent, we will obtain consent from your holder of parental responsibility, your custodian or your curator who has the power to act on behalf of you, as the case may be.
If we become aware that we have unintentionally collected Personal Data pertaining to a minor, incompetent person or quasi-incompetent person which we should not have been collecting without consent from a holder of parental responsibility, a custodian or a curator who has the power to act on behalf of Data Subject, as the case may be, we shall take steps to delete the above Personal Data immediately except where we are required by law to keep it or where we are permitted to collect and process such Personal Data under other legal basis according to the PDPA.
5.4 Change to purpose, etc.
Company will only Process your Personal Data for the informed purposes for which we collected it, unless we reasonably consider that we need to Process it for another purpose and such purpose is compatible with the original informed purpose.
If company need to Process your Personal Data for a purpose apparently irrelevant to the original informed purpose, we will inform you on the new purpose and obtain your prior consent where your consent is required under the applicable law.
Company may Process your Personal Data, without your knowledge or consent, if to do so is required or permitted by relevant laws and/or regulations.
6. Disclosure of Personal Data
Company may disclose your Personal Data to the following third parties, subject to availability of safety measure for protection of Personal Data and compliance with the relevant laws and regulations by such third parties:
• “Internal Third Parties”
• “External Third Parties”
• “Third parties, to whom we may choose to sell and transfer out business (or vice versa)
or with whom merge”
When company ask External Third Parties to Process your Personal Data on our behalf, we will not allow them to use your Personal Data for their own purposes. We will permit them to Process your Personal Data only within the scope of our instructions and applicable relevant laws and regulations.
New owner of our business will be able to process relevant Personal Data of you to the same extent permitted by this policy and in accordance with the PDPA.
For the purposes of interpretation of this part:
“Internal Third Parties” shall include our parent company, the Company’s subsidiaries and affiliates in which the Company holds majority of the shares or interests in Thailand and/or other countries.
“External Third Parties” shall include the following third parties:
(a) our service providers, service providers of Internal Third Parties in Thailand and/or any other relevant countries (acting as their commissioned processors or joint controllers, etc. of your Personal Data);
(b) our professional advisers, professional advisers of Internal Third Parties in Thailand and/or any other relevant countries (acting as their lawyers, accountants, auditors, financiers, insurers based and consultants, etc.); and
(c) any regulator and/or authority of Personal Data/ information/ privacy protection in Thailand and/or any other relevant countries, which has authority to require reporting of processing activities, etc. in certain circumstances under the applicable law.
7. Transfer of Personal Data to a foreign country
Disclosure of your Personal Data mentioned in Clause 6. (Disclosure of Personal Data) above may include transfer of your Personal Data to a foreign country. Company will transfer your Personal Data from Thailand to a foreign country only if at least one of the following applies:
(a) transfer of your Personal Data from Thailand to a foreign country where the destination country or international organization that receives such Personal Data has adequate data protection standard and the transfer is carried out in accordance with the rules for the protection of Personal Data as prescribed by the Personal Data Protection Committee; or
(b) transfer of your Personal Data from Thailand to a foreign country on the following scenarios:
(i) for compliance with the law
(ii) with your consent
(iii) for performance of a contract which you are a party or at your pre-contract request
(iv) for compliance with a contract between the Company and others for the interests of you
(v) for preventing or suppressing a danger to life, body, or health of you, or
(vi) necessary for carrying out activities in relation to substantial public interest.
8. Data security
Company has put in place appropriate security measures to prevent the unauthorized or unlawful loss, access to, use, alteration, correction or disclosure of your Personal Data and will ensure that the security measures are in accordance with the minimum standard specified and announced by the Personal Data Protection Committee under the PDPA.
Company limit access to your Personal Data only to employees, agents, contractors and other persons and third parties mentioned in Clause 6. (Disclosure of Personal Data) above only as necessary. They will be allowed to Process your Personal Data only within the scope of our instructions and be subject to a duty of confidentiality.
If discover that there is a breach of your Personal Data that poses a risk to the rights and freedom of a person, the Company will report it to the Office of Personal Data Protection Commission without undue delay, and where feasible no later than 72 hours of discovery.
If the breach is likely to result in a high risk to the rights and freedom of a person, we will additionally notify you that there has been a breach and provide information about the breach and the guideline of remedy without undue delay.
9. Retention period of Personal Data
Company will retain your Personal Data only to the reasonable extent necessary to achieve the purposes for collection of the same.
Company may retain your Personal Data for a longer period in the event that a complaint or potential litigation is brought against or to be initiated by Company. We may also retain your Personal Data even after the purposes for its collection are fulfilled in case it is necessary as the Company has an ongoing legitimate interest to do so, or it is for compliance with the applicable law, including the Computer Crimes Act B.E. 2550 (2017).
To determine the appropriate retention period of your Personal Data, we will consider the amount, nature and sensitivity of your Personal Data; the potential risk of harm from unauthorized use or disclosure of your Personal Data; purposes for Processing your Personal Data; prospect of achieving such purposes through other means, as well as the applicable legal, tax, accounting or other requirements.
10. Legal rights of Data Subject
In relation to your Personal Data, you may make a request to the Company at the contact details under Clause 12 of this Privacy Policy to exercise the following rights of Data Subject:
(a) Right to Access and Obtain Copy: (This enables you to request access to and receive a copy of your Personal Data held by us and to check the status of lawful Processing of your Personal Data. This also includes the right to request the disclosure of the acquisition of your Personal Data obtained without your consent.)
(b) Right to Data Portability: (This enables you to obtain your Personal Data in the format which is readable or commonly used by ways of automatic tools or equipment, including to request to send or transfer your Personal Data to another Data Controller or to you, unless it is technically unfeasible to do so.)
(c) Right to Object: (This enables you to raise an objection to the Processing of your Personal Data in case that the Company:
i) Processes your Personal Data based on legitimate interest or public interest ground, except in the case that the Company can demonstrate compelling legitimate grounds, or Processing of your Personal Data is carried out for establishment, compliance with or exercise of the legal claims or defense of the legal claims;
ii) Processes your Personal Data for the purpose of direct marketing; or
iii) Processes your Personal data for the purpose of scientific, historic or statistic research, unless it is necessary for conducting activities for the public interest by the Company.
(d) Right to erasure of Personal Data: (This enables you to ask us to delete, destroy or anonymize your Personal Data if there is no legitimate reason for us continuing to Process it, including when your Personal Data is no longer necessary in relation to the purposes for which it was collected or when you withdraw your consent on which the Processing is based and no other legal ground is available. However, please note that we may not always be able to comply with your request to delete your Personal Data for specific legal reasons as permitted by PDPA and other relevant regulations.)
(e) Right to restriction: (This enables you to ask us to suspend the Processing of your Personal Data in the following scenarios:
(i) If the Company is pending the verification of the accuracy of your Personal Data as per your request;
(ii) In case of your Personal Data which shall be deleted or erased in according with 10.1 (d), but you request restriction to use instead;
(iii) The Company has no longer necessary to use your Personal Data; however, you have a necessity to request the retention for the purpose of exercising legal claims, or for defense of the legal claims; or
(iv) The Company is pending the verification according to 10.1(a) or pending examination regarding 10.1(c) in order to reject your objection request.
(f) Right to rectification: (This enables you to request that your Personal Data be rectified if your Personal Data is inaccurate, not up-to date or incomplete, or may cause a misunderstanding);
(g) Right to withdraw consent: (This will not affect the lawfulness of any Processing carried out before such withdraw. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time of such withdrawal by you.)
(h) Right to lodge a complaint: (This enables you to lodge a complaint to the Office of Personal Data Protection Committee if we or our employees fail to comply with the PDPA or the announcements issued under the PDPA.)
When we receive a request to exercise your rights above, we will fulfill the request without undue delay provided (within 30 days unless otherwise permitted by law) that the request is carried out in accordance with the PDPA and other relevant regulations and we have no legitimate reason to reject such request as permitted by law.
You have the right to make a complaint to relevant supervisory authority in charge of data protection issues having competent jurisdiction. However, we would appreciate if you could give us chance to deal with your concerns in the first instance before you approach such supervisory authority.
10.2 Cost, etc.
Basically, you do not have to pay any cost for exercising any of said rights. However, we may ask you to bear reasonable cost if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to respond to your request in these circumstances according to the PDPA and other applicable laws and regulations.
10.3 Provision of additional information
When we receive a request to exercise your rights, we may need to request specific information from you to help us confirm your identity and secure your rights. This is a security measure to ensure that your Personal Data will not be disclosed to any person who has no right to receive it. We may also contact you to ask for further information in relation to your specific request to speed up our response.
10.4 Updates to this policy
This policy may be updated from time to time. You can find the latest version on company website and/ or our online communication media/platform.
11. Third-party links
Our website and/ or our online communication media/platform may include links to third-party websites. Clicking on those links or enabling those connections may allow third parties to collect or share Personal Data about you. We do not control these third-party websites and are not responsible for their privacy statements. Accordingly, when you leave our website, we encourage you to read the privacy policy of every website you visit.
12. Contact
If you have any questions regarding this privacy policy, please contact our Data Protection Officer (DPO) at the following contact information:
TT Insurance Broker (Thailand) Co., Ltd.
Address: 44/1 Rungrojthanakul Bldg., Ratchadapisek Road, Kwang Huaykwang,
Khet Huaykwang, Bangkok 10310 Thailand.
Telephone No. 0-2115-9410-21 E-mail Address: [email protected]
Last updated: May 2022
1. Introduction
TT Insurance Broker (Thailand) Co., Ltd. (the “Company”, ”we” , “us” or “our” in this privacy policy) is the non-life insurance brokerage and re-insurance company which is a subsidiary of Toyota Tsusho (Thailand) Co., Ltd and the Company is committed to offering a wide range of products in the non-life insurance business to meet the needs of both individual customers and group companies. Consistent with our Code of Conduct & Ethics, the Company will respect the privacy rights of Data Subject pertaining to Personal Data that the Company collects, uses, processes, stores, discloses and/or transfers on purposes of the business activities.
2. Purpose of this privacy policy
As a Data Subject, this privacy policy aims to give you information on the way of processing (including collection, use, storage, disclosure and transfer) (hereinafter referred to as “Processing” or “Process”) by the Company, as a data controller (or a data processor, where applicable), of your Personal Data.
For your information, Personal Data means any information relating to a natural person who is not a diseased person, which enables the identification of such natural person, whether directly or indirectly (and such natural person shall be “Data Subject”) .
Consistent with our Global Code of Conduct & Ethics, we will respect the rights to privacy of individuals and comply with the Personal Data Protection Act B.E. 2562 (A.D. 2019) (“PDPA”).
3. Personal Data Process
Personal Data means any information relating to Data Subject which directly or indirectly identifies such individual person such as first name, last name, address, date of birth, telephone number, photo, biometric data, including customer or supplier data, employee data, data of directors, shareholders, contractors, etc. It does not include data where the Data Subject is not or no longer identifiable (anonymous data).
Based on the aforementioned definition, we may Process the following Personal Data of yours:
• “Personal details and Identification” (e.g. first name, maiden name, last name, username or similar identifier, photo, marital status, title, career, date of birth, gender, age, residency, family status including family member information, house registration address, property information, visa, work permit, national identification card, passport, tax identification and other government-issued identification);
• “Personal information about your beneficiaries, your family members and/or dependents” (that you provided to us in any application, forms or other documents or in connection with your request, purchase, acceptance or use of our products or services, such as their names, addresses and contact details);
• “Contact Information” (e.g., billing address, delivery address, email address, telephone numbers and social media and electronic communication account);
• “Payment Information” (e.g., bank account and debit card or credit card details including receipts);
• “Personal Data necessary for Marketing and Communications” (e.g., your Personal Data allowing us to prepare or provide presentation and price comparison of insurance products, Policy renewal notification including for carrying our product publicity and performing services to you);
• “Products and Services Preferences” (e.g. preferred type of insurances, preferred price ranges, preferred insurance service providers);
• “Claim information” (e.g., insurance application, claim requests and claim information, details of products and services that have purchased with Company);
•“Insurance Policy information” (e.g., type of insurance policy, policy number, insurance premium amount, coverage limit according to the policy, payment details, payment method and payment history);
• “Purchases and Services History” (e.g., purchase information, details of services provided to you by the Company, previous insurance details and history);
• “Personal History” (e.g., educational background, transcript, academic degree, skills, qualifications, job history and any other information that might be necessary to judge your suitability to job role);
• “Security Data” (e.g., photograph and/or voice recording by means of closed circuit television (CCTV), photograph, footage, video, voice recording of conversations);
• “Technical Information” (e.g., IP address, cookies, accessed devices location while using Company’s website and/ or social media);
• “Sensitive Data” (e.g., information about health/medical records, health condition, health examination result, biometric data, disability, race, religion, blood type, vaccination record, criminal record)
Personal Data may be converted into statistical or aggregated data in such a way that you, as a Data Subject, will not be identified or identifiable from it and may be used for analytical and research purposes. In such case, it will no longer be your Personal Data.
4. How is Personal Data collected?
We collect your Personal Data including through the following ways:
• Direct collection: We collect Personal Data directly from you, as a Data Subject.
This includes when you fill in a designated form, electronic form and/or by corresponding with us by post, email or otherwise when you:
• requests information on our products or services;
• provides us with your business cards;
• places orders or makes requests for our products or services;
• gives us feedback or contact us; or
• applies to job roles and further take interview.
• Indirect collection: We may also collect your Personal Data from third parties such as the organization to which you belong, your beneficiaries, your family members, custodians, curators, persons acting your behalf and/or public sources to the extent that it is permitted under the PDPA and other applicable laws. This includes when a third party provides to us your Personal Data in any applications, forms or other documents in connection with your request, purchase, acceptance or use of our products or services.
5. How Company Process Personal Data
5.1 Legal grounds for lawful Processing of Personal Data Company will Process your Personal Data only when relevant laws and/or regulations (in particular, PDPA) allow us to do so.
When Company Process your Personal Data, as a data controller, we will rely on at least one of the legal grounds for lawful Processing (including, but not limited to the following applies):
• “Consent by Data Subject” (Processing Personal Data in the case where you have given consent to such processing for one or more specific purposes);
• “Performance of Contract” (Processing Personal Data in the case where it is necessary for the performance of a contract to which you are a party, or for taking steps at your request before entering into such a contract);
• “Compliance” (Processing Personal Data in the case where it is necessary for our compliance with a legal obligation to which the Company is subjected);
• “Vital Interest” (in the case where it is for preventing or suppressing a danger to a person’s life, body or health);
• “Legitimate Interests” (Processing Personal Data in the case where it will be in the legitimate interests of the Company to carry out its operation and management of its business for provision of most suitable services and/or products.)
Before processing your Personal Data under this Legitimate Interests ground, we will assess potential impacts (both positive and negative) on you and your rights and further make comparison between such impacts on you and the Company’s Legitimate Interests. We will not Process your Personal Data by relying on this Legitimate Interests ground if the adverse effect on you and your rights exceeds the Company's Legitimate Interest.
For Sensitive Data, in addition to the lawful basis mentioned above, we will process your Sensitive Data on the following basis:
・your explicit consent;
・Compliance with a law to achieve the purposes with respect to the assessment of working capacity of the employee, employment protection, social security, national health security, social health welfare of the entitled person by law or social protection;
・ Other public interests as permitted under the law.
Where we are a data processor, we will process your Personal Data on behalf of the data controller only for and to the extent of the performance of contract that we have with the data controller.
5.2 Purposes for Processing of Personal Data As a data controller, we have set out below, in a table format, a /description of typical (i) purposes for Processing of Personal Data, (ii) types of Personal Data and (iii) legal grounds for lawful Processing of Personal Data. (We may Process your Personal Data for more than one legal ground depending on the specific purpose for Processing of Personal Data. In addition to the purposes listed in the table below, please note that we may also Process your Personal Data for complying with legal obligations of the Company, for Legitimate Interests, or for Vital Interests as permitted by law.)
| Purposes for Processing of Personal Data | Types of Personal Data | Legal Grounds for Lawful Processing |
|---|---|---|
|
1. To register and verify identity of a new customer, supplier, or service provider before using (or providing) services or entering into a contract |
(a) Personal details and Identification (b) Contact Information (c) Personal information about your beneficiaries, your family members and/or dependents |
(a) Consent by Data Subject (b) Performance of Contract (c) Legitimate Interests (for business administration purpose) |
|
2. To supply (or procure) goods or provide (or receive) services appropriately including: (a) placing (or receiving) order; (b) delivery (or take delivery); (c) paying (or receiving) fees; (d) administration of debts and credits; and (e) providing (or receiving) services subject to Foreign Business License; (f) entering into a contract and fulfill the contract between companies with the data subject; (g) performing insurance services and insurance agent services |
(a) Personal details and Identification (b) Contact Information (c) Payment Information (d) Claim information (e) Insurance Policy Information (f) Sensitive Data (g) Personal information about your beneficiaries, your family members and/or dependents |
(a) Consent by Data Subject (b) Performance of Contract (c) Legitimate Interest (for fulfilling obligation of our business properly) |
|
3. To provide information about the products and services, product and price comparison, publicity of products and services, including reminder for renewal of insurance policy |
(a) Personal details and Identification (b) Contact Information (c) Personal Data necessary for Marketing and Communications (d) Products and Services Preferences (e) Purchases and Services History (f) Claim information (g) Insurance Policy Information (h) Sensitive Data |
(a) Consent by Data Subject (b) Performance of Contract (c) Compliance (d) Legitimate Interest (Response to requests or perform transactions contemplated in any document that submitted to Company;) |
|
4. To provide assistance and advice on claims process |
(a) Personal details and Identification (b) Contact Information (c) Payment Information (d) Claim information (e) Insurance Policy Information (f) Sensitive Data (g) Personal information about your beneficiaries, your family members and/or dependents |
(a) Consent by Data Subject (b) Performance of Contract (c) Compliance (d) Legitimate Interest (for fulfilling obligation of our business properly) |
|
5. To maintain relationship, ask for participate in a market and satisfaction surveys |
(a) Personal details and Identification (b) Contact Information (c) Payment Information (d) Claim information (e) Insurance Policy Information (f) Purchases and Services History |
(a) Consent by Data Subject (b) Legitimate Interest (for business administration and to develop the Company business for efficient service and meet the needs of customers to the extent as permitted by law) |
|
6. To administer and protect business and company website, social media and other online communication platform/channel (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) |
(a) Personal details and Identification (b) Contact Information (c) Technical information |
(a) Consent by Data Subject (b) Performance of Contract (c) Compliance (d) Legitimate Interest (for management and service on the website, social media and other online communication platform/channel, network security and for prevention of fraud) |
|
7. To manage human resource for the Company to make appropriate decision about recruitment and human resource management (including management of payment of salaries, compliance with employment contract and labour law, carrying out training session and welfare allocation) |
(a) Personal details and Identification (b) Contact Information (c) Payment Information (d) Personal History (f) Sensitive Data |
(a) Consent by Data Subject (b) Performance of Contract (c) Legitimate Interest (for recruiting individuals and to make sure there is no miss-matching of the job requirement and the applicant, for procuring proper human resource management) (d) Compliance (e) Vital Interest (f) Employment protection |
|
8. To implement security measure by controlling access to the office, to ensure our security of our employee and visitors, and to record and maintain records of photos images via closed circuit television (CCTV), photographs, footages and video. |
(a) Personal details and Identification (b) Contact Information (c) Security Data |
(a) Performance of Contract (b) Compliance (c) Vital interest (d) Legitimate Interest (for securing safety of employee and our visitors) |
|
9. To investigate or address claims or disputes relating to business of the Company or satisfy requirements under applicable laws, regulations, or operating licenses. |
(a) Personal details and Identification (b) Contact Information (c) Payment Information (d) Personal History (e) Security data |
(a) Performance of Contract (b) Compliance (c) Legitimate Interest (for investigating and responding to claims and disputes relating to the business of the Company) |
Besides the above, where we are a data processor, we will process your Personal Data on behalf of the data controller for the purposes, in a manner and to the extent as engaged and instructed by the data controller only.
5.3 Personal Data Collection of a Minor Person, Incompetent Person, Quasi-Incompetent Person As a data controller, Company may collect and process Personal Data of a minor, incompetent person or quasi-incompetent person in accordance with the PDPA and other applicable laws. In case you are a minor, incompetent person or quasi-incompetent person, when we acquire your consent, we will obtain consent from your holder of parental responsibility, your custodian or your curator who has the power to act on behalf of you, as the case may be.
If we become aware that we have unintentionally collected Personal Data pertaining to a minor, incompetent person or quasi-incompetent person which we should not have been collecting without consent from a holder of parental responsibility, a custodian or a curator who has the power to act on behalf of Data Subject, as the case may be, we shall take steps to delete the above Personal Data immediately except where we are required by law to keep it or where we are permitted to collect and process such Personal Data under other legal basis according to the PDPA.
5.4 Change to purpose, etc. Company will only Process your Personal Data for the informed purposes for which we collected it, unless we reasonably consider that we need to Process it for another purpose and such purpose is compatible with the original informed purpose.
If company need to Process your Personal Data for a purpose apparently irrelevant to the original informed purpose, we will inform you on the new purpose and obtain your prior consent where your consent is required under the applicable law.
Company may Process your Personal Data, without your knowledge or consent, if to do so is required or permitted by relevant laws and/or regulations.
6. Disclosure of Personal Data
Company may disclose your Personal Data to the following third parties, subject to availability of safety measure for protection of Personal Data and compliance with the relevant laws and regulations by such third parties:
• “Internal Third Parties”
• “External Third Parties”
• “Third parties, to whom we may choose to sell and transfer out business (or vice versa) or with whom merge”
When company ask External Third Parties to Process your Personal Data on our behalf, we will not allow them to use your Personal Data for their own purposes. We will permit them to Process your Personal Data only within the scope of our instructions and applicable relevant laws and regulations.
When company ask External Third Parties to Process your Personal Data on our behalf, we will not allow them to use your Personal Data for their own purposes. We will permit them to Process your Personal Data only within the scope of our instructions and applicable relevant laws and regulations.
New owner of our business will be able to process relevant Personal Data of you to the same extent permitted by this policy and in accordance with the PDPA.
7. Transfer of Personal Data to a foreign country
Disclosure of your Personal Data mentioned in Clause 6. (Disclosure of Personal Data) above may include transfer of your Personal Data to a foreign country. Company will transfer your Personal Data from Thailand to a foreign country only if at least one of the following applies:
(a) transfer of your Personal Data from Thailand to a foreign country where the destination country or international organization that receives such Personal Data has adequate data protection standard and the transfer is carried out in accordance with the rules for the protection of Personal Data as prescribed by the Personal Data Protection Committee; or
(b) transfer of your Personal Data from Thailand to a foreign country on the following scenarios:
(i) for compliance with the law
(ii) with your consent
(iii) for performance of a contract which you are a party or at your pre-contract request
(iv) for compliance with a contract between the Company and others for the interests of you
(v) for preventing or suppressing a danger to life, body, or health of you, or
(vi) necessary for carrying out activities in relation to substantial public interest.
8. Data security
Company has put in place appropriate security measures to prevent the unauthorized or unlawful loss, access to, use, alteration, correction or disclosure of your Personal Data and will ensure that the security measures are in accordance with the minimum standard specified and announced by the Personal Data Protection Committee under the PDPA.
Company limit access to your Personal Data only to employees, agents, contractors and other persons and third parties mentioned in Clause 6. (Disclosure of Personal Data) above only as necessary. They will be allowed to Process your Personal Data only within the scope of our instructions and be subject to a duty of confidentiality.
If discover that there is a breach of your Personal Data that poses a risk to the rights and freedom of a person, the Company will report it to the Office of Personal Data Protection Commission without undue delay, and where feasible no later than 72 hours of discovery.
If the breach is likely to result in a high risk to the rights and freedom of a person, we will additionally notify you that there has been a breach and provide information about the breach and the guideline of remedy without undue delay.
9. Retention period of Personal Data
Company will retain your Personal Data only to the reasonable extent necessary to achieve the purposes for collection of the same.
Company may retain your Personal Data for a longer period in the event that a complaint or potential litigation is brought against or to be initiated by Company. We may also retain your Personal Data even after the purposes for its collection are fulfilled in case it is necessary as the Company has an ongoing legitimate interest to do so, or it is for compliance with the applicable law, including the Computer Crimes Act B.E. 2550 (2017).
To determine the appropriate retention period of your Personal Data, we will consider the amount, nature and sensitivity of your Personal Data; the potential risk of harm from unauthorized use or disclosure of your Personal Data; purposes for Processing your Personal Data; prospect of achieving such purposes through other means, as well as the applicable legal, tax, accounting or other requirements.
10. Legal rights of Data Subject
10.1 Legal rights
In relation to your Personal Data, you may make a request to the Company at the contact details under Clause 12 of this Privacy Policy to exercise the following rights of Data Subject:
(a) Right to Access and Obtain Copy: (This enables you to request access to and receive a copy of your Personal Data held by us and to check the status of lawful Processing of your Personal Data. This also includes the right to request the disclosure of the acquisition of your Personal Data obtained without your consent.)
(b) Right to Data Portability: (This enables you to obtain your Personal Data in the format which is readable or commonly used by ways of automatic tools or equipment, including to request to send or transfer your Personal Data to another Data Controller or to you, unless it is technically unfeasible to do so.)
(c) Right to Object: (This enables you to raise an objection to the Processing of your Personal Data in case that the Company:
i) Processes your Personal Data based on legitimate interest or public interest ground, except in the case that the Company can demonstrate compelling legitimate grounds, or Processing of your Personal Data is carried out for establishment, compliance with or exercise of the legal claims or defense of the legal claims;
ii) Processes your Personal Data for the purpose of direct marketing; or
iii) Processes your Personal data for the purpose of scientific, historic or statistic research, unless it is necessary for conducting activities for the public interest by the Company.
(d) Right to erasure of Personal Data: (This enables you to ask us to delete, destroy or anonymize your Personal Data if there is no legitimate reason for us continuing to Process it, including when your Personal Data is no longer necessary in relation to the purposes for which it was collected or when you withdraw your consent on which the Processing is based and no other legal ground is available. However, please note that we may not always be able to comply with your request to delete your Personal Data for specific legal reasons as permitted by PDPA and other relevant regulations.)
(e) Right to restriction: (This enables you to ask us to suspend the Processing of your Personal Data in the following scenarios:
(i) If the Company is pending the verification of the accuracy of your Personal Data as per your request;
(ii) In case of your Personal Data which shall be deleted or erased in according with 10.1 (d), but you request restriction to use instead;
(iii) The Company has no longer necessary to use your Personal Data; however, you have a necessity to request the retention for the purpose of exercising legal claims, or for defense of the legal claims; or
(iv) The Company is pending the verification according to 10.1(a) or pending examination regarding 10.1(c) in order to reject your objection request.
(f) Right to rectification: (This enables you to request that your Personal Data be rectified if your Personal Data is inaccurate, not up-to date or incomplete, or may cause a misunderstanding);
(g) Right to withdraw consent: (This will not affect the lawfulness of any Processing carried out before such withdraw. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time of such withdrawal by you.)
(h) Right to lodge a complaint: (This enables you to lodge a complaint to the Office of Personal Data Protection Committee if we or our employees fail to comply with the PDPA or the announcements issued under the PDPA.)
When we receive a request to exercise your rights above, we will fulfill the request without undue delay provided (within 30 days unless otherwise permitted by law) that the request is carried out in accordance with the PDPA and other relevant regulations and we have no legitimate reason to reject such request as permitted by law.
You have the right to make a complaint to relevant supervisory authority in charge of data protection issues having competent jurisdiction. However, we would appreciate if you could give us chance to deal with your concerns in the first instance before you approach such supervisory authority.
10.2 Cost, etc.
Basically, you do not have to pay any cost for exercising any of said rights. However, we may ask you to bear reasonable cost if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to respond to your request in these circumstances according to the PDPA and other applicable laws and regulations.
10.3 Provision of additional information
When we receive a request to exercise your rights, we may need to request specific information from you to help us confirm your identity and secure your rights. This is a security measure to ensure that your Personal Data will not be disclosed to any person who has no right to receive it. We may also contact you to ask for further information in relation to your specific request to speed up our response.
10.4 Updates to this policy
This policy may be updated from time to time. You can find the latest version on company website and/ or our online communication media/platform.
11. Third-party links
Our website and/ or our online communication media/platform may include links to third-party websites. Clicking on those links or enabling those connections may allow third parties to collect or share Personal Data about you. We do not control these third-party websites and are not responsible for their privacy statements. Accordingly, when you leave our website, we encourage you to read the privacy policy of every website you visit.
12. Contact
If you have any questions regarding this privacy policy, please contact our Data Protection Officer (DPO) at the following contact information:
TT Insurance Broker (Thailand) Co., Ltd.
Address: 44/1 Rungrojthanakul Bldg., Ratchadapisek Road, Kwang Huaykwang,
Khet Huaykwang, Bangkok 10310 Thailand.
Telephone No. 0 2115 9410-21
E-mail Address: [email protected]