1.1 PDPA means the Personal Data Protection Act, B.E. 2562, and as amended, including related rules, regulations and orders.

1.2 Personal Data means information relating to a natural person that can be used to identify such person whether directly or indirectly, according to the Personal Data Protection Act, B.E. 2562.

1.3 Data Protection Officer (DPO)means officer(s) appointed by the Data Controller to act as Data Protection Officer, pursuant to the Personal Data Protection Act B.E. 2562.

1.4 Company means Lockton Wattana Insurance Brokers (Thailand) Ltd.

1.5 Data Controller means a natural person or a juristic person who has the authority to decide on the issues relating to Personal Data of customers, insurance applicants, beneficiaries, or must do or perform in accordance with a contract with such persons.

1.6 Data Processor means a natural person or a juristic person who operates in relation to the collection, use, or disclosure of the Personal Data pursuant to the orders given by or on behalf of a Data Controller

1.7 Partners means partners or alliances of the Company, or working with the Company, such as non-life insurance companies, life insurance companies, surveyors, etc.

1.8 Website and/or the Application means websites and/or the Application owned or provided by Lockton Wattana Insurance Brokers (Thailand) Ltd., as the case may be.

3.1 In regard to the collection, use, and/or disclosure of Personal Data, the Company will use lawful means to collect, use and/or disclose the Personal Data. The Company will collect limited Personal Data, only to the extent necessary for the purposes of collecting, using, and/or disclosing Personal Data and in accordance with provisions of the PDPA;

3.2 The Company may collect, use and/or disclose Personal Data given to the Company, or the Company is in possession of, or the Partners disclosed to the Company, or the Company had obtained or accessed from a reliable source such as Personal Data that the customers had made public;

3.3 In the event that a data subject does not provide Personal Data or provides inaccurate or out-of-date Personal Data to the Company, this may affect the data subject who may not be able to make transactions with the Company or may not be as convenient or causes inability of performing contractual obligations that the data subject has with the Company, and may cause damage or loss to the data subject and may affect compliance with any laws that the data subject or the Company must comply with;

3.4 Personal Data that the Company collects, uses, and/or discloses may be divided into 2 categories:

  (1) General Personal Data such as

   (a) Identification Information and contact information such as photo, name and surname, identification number, information as appeared on the copy of identification card, passport number, gender, date of birth, age, status, address, occupation, workplace, telephone number, fax number, e-mail address, etc.

   (b) Work Information such as job position, work department, details of employment contract, personal records, work records, etc.

   (c) Financial Information such as information as appeared on the copy of bank passbook, and tax identification number.

   (d) Information used as evidence or in various transactions such as Personal Data shown in the copy of the identification card, copy of passport, copy of name change certificate, copy of house registration, copy of driving license, copy of vehicle registration, vehicle registration number, copy of land title deed, copy of power of attorney, copy of company certificates, invoices, receipts, payment vouchers, and copy of professional or business licenses, etc.

   (e) Technology Information such as computer or mobile logs, IP address, geographic location by location technology, browser, referring Website and/or the Application, records of website and/or the Application usage, login log, transaction log, website and/or the Application access statistics, access time, search history, social media records, the use of various functions on the website and/or the Application and information that the Company collected through cookies or other similar technologies, etc.

   (f) Pictures and video recordings through CCTV footage and audio/ voice recording or other data that can be used to identify such person.

  (2) Sensitive Data means Personal Data that is inherently private to the data subject in accordance with Section 26 of the Personal Data Protection Act B.E. 2562, such as face scan/face recognition, religion as it appears on the copy of identification card (if any), criminal records including alleged offenses or prosecution, health, ethnicity, etc.

   The Company does not have any policy to store sensitive data of the data subject, except:

   (a) In the case where the Company has obtained expressed consent from the data subject; or

   (b) In other cases as stipulated by the PDPA

3.5 Retention Period of Personal Data
  The Company shall collect and retain Personal Data of data subject for as long as necessary for the objective of collecting and the use of Personal Data as described in this Privacy Policy. In cases where the data subject terminates relationship or an agreement with the Company, terminates hiring contract with the Company, or no longer using the services, or the business transaction has been executed, the Company shall store Personal Data for a specified period after that, or as specified by the law, or legal prescription, or for exercise or defense of legal claims. Nevertheless, after the expiration of the storage period of each type of Personal Data, the Company shall proceed to erase or destroy or make anonymize of Personal Data. The retention period of Personal Data shall be in accordance with the Company’s Data Retention Policy. However, the Company may retain the Personal Data of the data subject for longer than has been specified if permitted by law.

4.1 Purposes of Processing of Personal Data in which the Company must obtain consent

  (1) The collection, use, and disclosure of Sensitive Data for the following purposes:

   (a) For identity verification such as verification through identification card or passport in which Sensitive Data such as religion, blood type, race data may be shown, etc.

   (b) For the collection of information necessary for the consideration and appraisal of insurance.

  (2) Where it is necessary to transfer the Personal Data to countries that may not have an adequate level of data protection, for which the law requires consent.

  (3) Collecting, using, and/or disclosing Personal Data of customers for use in public relations communications and promotions, relaying news or activities of the Company to customers.

4.2 Purposes for which the Company may operate by lawful basis for collecting, using, and/or disclosing the Personal Data.
  The Company may rely on the following lawful basis to collect, use and disclose Personal Data, including:

  (1) It is necessary for the performance of a contract, for entering into an employment contract, or performance of the employment contract with the data subject;

  (2) It is necessary for compliance with legal obligations;

  (3) It is necessary for the purposes of the legitimate interests of the Company or third party, where such interests are proportionate to the fundamental rights of the data subject of his or her Personal Data;

  (4) It is necessary for preventing or suppressing a danger to a person’s life body or health; and

  (5) It is necessary for performance of a task carried out in the public interest or in the exercise of official authority

  The Company shall rely on lawful basis of processing listed in (1) to (5) for the collection, use, and/or disclose of Personal Data for the following purposes:

   • Performance of the contract to which the customer is the contracting party or the customer's request before entering into that contract
   • Receiving complaint
   • Providing product information, general information, customer loan status
   • Order verifications
   • Product offering
   • Storing various documents for customers
   • Coordinate and manage claims with insurance companies
   • Submit documents as per customer's request
   • Using Personal Data of family members, customer’s reference persons to verify information and consider customer requests
   • Contact customers according to the information that the customers notified or according to the questions or concerns from the customer
   • Contact customers to offer services and products
   • Use the customer's information to apply for membership with the Company
   • The Company's accounting processes
   • Other purposes reasonably required by the Company as stated in the application or any relevant documents

4.3 The Company shall not collect, use and/or disclose Personal Data other than for the purposes that the Company has notified, unless

  (1) the Company has informed the new purposes to the data subject and has obtained consent thereof; or

  (2) it is prescribed by law.

(1) The Company has obtained consent from the data subject.

(2) It is necessary for the performance of the contract or at the request of the data subject, including disclosure in order to allow any transaction or activity of the data subject to be operated and achieved the objectives.

(3) It is necessary for legitimate interests, such as disclosure to a legal entity or organization for fraud detection and prevention purposes, video recording of meetings or doing transactions with the Company for the security of the Company, etc.

(4) To comply with laws or official rules or orders of regulatory authorities or an official agency with legal powers such as the Ministry of Labor, Social Security Office, Department of Skill Development, Student Loan Fund, the Department of Empowerment of Persons with Disabilities, the Court, the Legal Execution Department, the police or any other government agency as required by law.

(5) Disclose to the following natural persons or juristic persons or other organizations:

  (a) Outsource or service providers such as banks, payment service provider, human resources system provider, training or financial service providers, access to the Personal Data for the processing of the Personal Data for the purposes specified in Article 4 of this Privacy Policy.

  (b) Government agencies or agencies with legal powers such as the revenue department, courts, the Legal Execution Department, the police, or any other government agency as required by law for compliance with the laws and regulations or legal obligations.

7.1 In the event that the data subject wishes to know or obtain a copy of Personal Data which is in the responsibility of the Company, or request the Company to disclose the acquisition of data that was obtained without consent, the data subject can do so in accordance with the rules and procedures specified by the Company.

7.2 In the event that the data subject sees that his/her Personal Data is inaccurate, not up to date, or incomplete which may cause misunderstanding, the data subject has the right to request the Company to correct and complete Personal Data based on information they may provide by filing data subject rights request form to the Company in accordance with the Company’s conditions and procedures. In case where the Company does not respond or comply with the rights request, the Company shall keep record of the request with reasons of refusal as evidence for future inspection.

7.3 The data subject has the right to withdraw consent given to the Company for processing your Personal Data at any reasonable time unless there is a restriction of the withdrawal of consent by law, or there is a contractual obligation that benefits you. For example, you are still bound by an employment contract with the Company, or you have contractual obligations or legal obligations with the Company. Nevertheless, if you withdraw consent, you may not be able to receive services from or conduct a transaction with the Company, or the Company’s ability to provide services to you may be limited.

7.4 The data subject has the right to receive Personal Data concerning yourself from the Company. In which case, the Company shall arrange such Personal Data to be in the format which is readable or commonly used by ways of automatic tools or equipment and can be used or disclosed by automated means. You are also entitled to request the Company to send or transfer the Personal Data in such formats to other Data Controllers if it can be done by automatic means or entitled to request to directly obtain the Personal Data in such formats that the Company sends or transfers to other Data Controllers unless it is impossible to do because of the technical circumstances.

7.5 The data subject has the right to object to the collection, use, and/or disclosure of Personal Data at any reasonable time in any of the following circumstances:

  (1) the Personal Data was collected for the performances of public interest or necessity for the legitimate interests of the Company, except

   (a) the Company demonstrates a legitimate ground which is more important, or

   (b) it is for the establishment of legal claims, compliance with or exercising legal claims, or raising legal claims.

  (2) In the case of collecting, using, or disclosing Personal Data for direct marketing purposes.

  (3) In the case of collecting, using, or disclosing Personal Data for the purpose of scientific research, history or statistics, unless it is necessary for the Company’s public interest.

7.6 The data subject has the right to request the Company to erase or destroy or anonymize Personal Data to become anonymous data in any of the following cases:

  (1) When the retention of Personal Data is no longer necessary for the purposes of collection, use, or disclosure.

  (2) When the data subject withdraws consent and the Company does not have legal authority in collecting, using, or disclosing the Personal Data.

  (3) When the data subject object to the collection, use, or disclosure of Personal Data in accordance with Article 7.5 (1) and the Company cannot refuse the objection or is collecting, using, or disclosing Personal Data for direct marketing purposes.

  (4) When Personal Data has been unlawfully collected, used, or disclosed.

7.7 The data subject has the right to request the Company to stop the use of Personal Data, in any of the following circumstances:

  (1) when the Company is investigating that the Personal Data is accurate, up-to-date, complete, or does not cause misunderstandings, under the request of the data subject.

  (2) when the Personal Data must be deleted or destroyed because the Personal Data was collected, used, or disclosed unlawfully, but the data subject request for the restriction of use instead.

  (3) when the Personal Data is no longer necessary to be kept according to the purpose of processing, but the data subject is obliged to request retention in order to establish legal rights, compliance, or the exercise or raise of legal claims.

  (4) when the Company is in the process of proving more important legal grounds or the establishment of a statutory claim, the performance or exercise of a statutory claim, or a defense of a statutory claim, in the event that the data subject exercises the right to object to the collection, use or disclosure of the data.

7.8 The data subject may lodge a complaint to the Personal Data Protection Committee under the PDPA in the case where the Company or a Data Processor, including employees or contractors of the Company violate or fail to comply with the PDPA or announcements issued under such laws at:

   Office of the Personal Data Protection Commission
   7th Floor Ratthaprasasanabhakdi Building
   The Government Complex Commemorating His Majesty The King's 80th Birthday Anniversary
   Chaeng Watthana Road, Thung Song Hong, Lak Si, Bangkok 10210

 Nevertheless, the rights of the data subjects mentioned above depend on various factors, and the Company may not be able to act on the request of the data subject in the event required by law or where the Personal Data was anonymized, or in the case where the Company has a legitimate interest to collect, use and/or disclose Personal Data, for example, the owner of the data still uses the service or transactions with the Company, or the Company has duties in accordance with the law such as the retention of Personal Data in accordance with the period required by law or for the exercise of legal claims, even if the data subject has terminated relationship with the Company, etc.

(1) Control of access to Personal Data and storage devices and Processing of Personal Data considering the usage and security;

(2) Determine permission to access Personal Data;

(3) Users access management to Personal Data for designated person(s) only;

(4) Determine roles and responsibilities of users to prevent unauthorized access, disclosure, copy of Personal Data, or theft of storage devices or data; and

(5) Provide method for tracing back the access, alteration, erasing, or transmission of Personal Data in accordance with the methods and storage media used for processing of Personal Data.