Privacy Policy
Bangkok Chayoratn Co., Ltd.
Bangkok Chayolife Co., Ltd.
  1. Principles and Objectives of the Policy
    Bangkok Chayoratn Co., Ltd. and Bangkok Chayolife Co.,Ltd. (Subsidiary Company) (“the Company”) has implemented this privacy policy in order to inform all of its customers and business partners of its measures regarding personal data information management which includes the collecting, using and disclosing of Personal Data in accordance with the Personal Data Protection Act B.E. 2562 (the “PDPA”). Such measures are based on effective and appropriate international standards on personal data protection procedures.
  2. Scope of Enforcement and Application of the Policy
    The scope of enforcement and application of the Privacy Policy is in accordance with the PDPA and covers all processing of Personal Data (as defined in this policy) which is performed by the Company, as well as any person who meets Personal Data as it relates to the Company's operations and must therefore comply with this Privacy Policy and the legal framework.
  3. Definitions
    “Privacy Policy” means the policy that the Company has established to make a Data Subject aware of the Company’s processing of their data and several other relevant issues as stipulated by the PDPA.
    “Personal Data” means any information relating to an identifiable person, either directly or indirectly, but excluding the information of a deceased person.
    “Sensitive Data” means Personal Data relating to race, ethnicity, political opinion, belief, religion or philosophy, sexual orientation, criminal record, health information, disability, labor union information, genetic data, biological data, or any other data which may impact the Data Subject in a similar manner, as stipulated in the Personal Data Protection Committee’s announcements.
    “Processing” means the collection, use, or disclosure of Personal Data.
    “Data Subject” means an individual who is the owner of Personal Data.
    “Data Controller” means another person or juristic person with power and duties to decide regarding the collection, use or disclosure of Personal Data.
    “Data Processor” means a person or juristic person who processes, collects, uses, or discloses Personal Data in accordance with an order of or on behalf of the Data Controller. The person or the juristic person engaging in those procedures is not the Data Controller.
    “Cookies” means small, temporary files collecting personal data that it is necessary to install on the computer of the data subject only for convenience and facilitation of communication while gaining access to a website
  4. Personal Data Collection
    The Company’s collection of Personal Data on Data Subjects (such as specific personal information, information related to the personal life or personal interests, financial information, or sensitive personal information) shall be based on the following sources and principles:
    • Sources of Personal Data
      The Company may receive Personal Data from the following three (3) channels: :
      • Collection from the Data Subject; for example, the Company may collect Personal Data from a Data Subject by having them provide personal information in application forms, either in paper form or online, or via a Data Subject providing responses to surveys conducted by the Company, or via their access to the Company’s website using Cookies.
      • Collection from another company, juristic person, or organization of which the Data Subject is a member or is related to, for the benefits of the Data Subjects e.g., an employer purchases insurance for the welfare of their employee, or a tour company purchases insurance for tourists which use its service.
      • Collection from sources other than the Data Subject, for example, searches for Personal Data via a website or inquiries made by third parties including an insurance broker or agent. In such case, the Company will notify the Data Subject of the collection of their Personal Data without delay, but in any case, not more than 30 (thirty) days from the date of collecting the Personal Data from such sources and shall request consent from the Data Subject to collect their Personal Data, except were exempted by law from the need to request consent from or notify the Data Subject.
      Examples of data that the Company may collect are as follows:
      • Personal information: name, date of birth, nationality, ID card number or passport number, driving license, or other identifiable government documents, and details of family member(s).
      • Contact information: email address, phone number, and fax number.
      • Work history: professional status, position.
      • Information on use of websites: username and password for use of online services and applications, IP address information.
      • Information on use of cookies.
      • Data from marketing surveys: data analysis, marketing statistics of data subjects.
      • Sensitive information: information on religion, health, criminal history.
      • Information on asset including devices and locations of devices, registered documents such as car registration.
      • CCTV footage.
      • Financial information, Credit Card.
    • Principles of Personal Data Collection:
      The Company will only collect Personal Data that is necessary for the operations for the following purposes:
      • To enter into an agreement and comply with an agreement between the Company and a Data Subject.
      • To verify identity before providing services or as required by the Office of Anti-Money Laundering.
      • To provide service to customers in respect of marketing and claim assistance service including analysis and statistics.
      • To develop and improve the Company's products to better respond to the needs of customers.
      • To provide information about products and services or conduct PR/marketing campaigns.
      • To comply with laws relating to the operations of the Company such as for the purpose of withholding tax.
      • To report to Office of Insurance Commission (OIC)for the controlling and promoting of insurance business.
        The privacy policy of OIC can be read by website: https://www.oic.or.th
      • For the purposes of audit, analysis and preparation of documents as requested by other agencies or organizations that are involved with or may be relevant to the Company's business operations, such as the Bank of Thailand.
      If it is necessary for a Data Subject to provide their Personal Data for the purpose of entering into a contract or for any other purposes, and they refuse to give consent to giving of their Personal Data, then it may affect a transaction or any other activities relating to the Data Subject, such affect may include the suspension or cessation of services as may be required by business operation or law, unless the Data Subject voluntarily consents to provide such data to the Company.
    • Exceptions where Consent from the Data Subject is not Required
      The Company will collect and retain Personal Data only as long as it is necessary for the fulfilment of the Company’s purposes in accordance with applicable laws. The Company shall obtain explicit consent from a Data Subject prior to or at the time of the collection of their Personal Data, except in the following circumstances, where the Company may collect Personal Data without requesting consent from the respective Data Owner.
      • To fulfill purposes relating to the preparation of historical documents or archives on public interest grounds or relating to research studies or statistics. In such cases the Company will implement appropriate security measures to protect the fundamental rights and freedoms of Data Subjects.
      • To prevent or to avoid danger to an individual’s life, body, or health.
      • To comply with a contract, only to the extent that it is necessary to do so, to which the Data Subject is a party or to take steps requested by the Data Subject prior to entering a contract.
      • To carry out tasks, only to the extent that it is necessary to do so, for the public interest or in the exercise of official authority vested in the Company.
      • For the purposes of legitimate interests pursued by the Company or by third parties or by other juristic persons, except where such interests are overridden by the fundamental rights and freedoms of Data Subjects.
      • To comply with laws such as the Credit Information Business Operation Act, B.E.2559, Civil and Commercial Code and Criminal Code.
    • Collection of Sensitive Data The Company shall obtain explicit consent from the respective Data Subject prior to or at the time of collection, in accordance with the Company's rules and in compliance with applicable laws.
  5. Use and disclosure of Personal Data
    Personal Data may be disclosed to third parties, organizations or government agencies as follows:
    • Affiliates or group companies of the Company.
    • Contractual parties, service providers and business partners of the Company such as companies in the insurance business, insurance agents or co-brokers, reinsurance companies both local and abroad, insurance actuary, Road Accident Victims Protection Co.,Ltd.
    • Outside providers of services to the Company such as hospital, surveyor, IT service provider, life support center, The Medical Council, Third Party Administration (TPA), car repair shop, insured person, policy holder, insurance premium payor, witness, beneficiary, statutory heir, claimant, sufferer, assignee, creditor, debtor of the Company.
    • Agencies responsible for credit information.
    • Banks.
    • Government agencies with legal authority such as the Anti-Money Laundering Office, Office of the National Anti-Corruption Commission, Office of the Narcotics Control Board, the Securities and Exchange Commission, Social Security Office, the Revenue Department, the Legal Execution Department, and the Courts.
    • Other agencies or organizations who are or may be involved in the business operations of the Company, such as the Bank of Thailand, Office of Insurance Commission (OIC)
  6. Retention Methods and Retention Period for Personal Data
    The Company shall retain Personal Data either soft copy or hard copy format. The hard copy shall be stored in locked cabinet The duration for which the Company shall retain Personal Data will be either one of the following:
    • Personal Data will be retained for the periods as stipulated by applicable laws such as the Accounting Act, Anti-Money Laundering Act, Act on Commission of Offences Relating to Computer, and the Revenue Code.
    • In cases where the retention period for Personal Data is not specified by relevant laws, the Company will determine the period necessary and appropriate for operation. At the end of such retention period, the Company shall delete, destroy, or anonymize the Personal Data.
  7. Transmission or transfer of personal data to other countries.
    When the Company transmits or transfers Personal Data to another countries, it shall take steps to ensure that the destination country has sufficient personal data protection standards. In cases where that the destination country does not have sufficient personal data protection standards, the transmission or transfer of such personal information must comply with exceptions specified in the Company’s rules that are not in violation of the law.
  8. Data Analytics by Third Party
    Google Analytics on our sites which include, but not limited to, our corporate websites. Google Analytics uses technologies such as cookies to help analyze users’ website experience. The information generated by the cookies about your use of Chayoratn’s website (such as your IP address, the URL visited, the date and time the page are viewed) will be transmitted and stored by Google on Google servers. Google will use such information to monitor the compile reports on website activities and provide other services related to website activities and Internet usage. Google may transfer this information to third parties where required by law, or where such third parties process information on Google’s behalf. For more information about Google’s privacy policy in respect of Google Analytics, please refer to http://www.google.com/analytics/learn/privacy.html. You may opt out of Google Analytics by using Google add-on at https://tools.google.com/dlpage/gaoptout?hl+en=GB.
  9. Privacy Policy of Other Websites
    The Privacy Policy of the Company is applicable to our websites only. Some parts of our websites or applications may contain links to third party websites or services such as social networks, those websites do not operate under this Privacy Policy. We are not responsible of such third party websites and services or their privacy practices. You are advised to check the privacy policies on those websites to understand their policies on the collection, use, transfer, and disclosure of personal data thoroughly.
  10. Rights of Data subjects
    Data Subjects shall have the following rights available to them in accordance with the PDPA.
    • Right to withdraw consent: A Data Subject has the right to withdraw their consent for the processing of their Personal Data that they have given to the Company throughout the period in which their Personal Data is kept by the Company. However, such withdrawal will not affect the collection, usage, and disclosure of Personal Data under which the previous consent was received.
    • Right of access: A Data Subject has the right to access their Personal Data and to request the Company to make a copy of such data. The Company shall comply within 30 days from its receipt of the request unless the Company is legally permitted to decline such request (for example the request is prohibited by law or by a valid court order).
    • Right to rectification: A Data Subjects has the right to request the Company to rectify incorrect or incomplete data in order to make the data to be correct, up-to-date, complete, and not misleading.
    • Right to erasure: A Data Subjects has the right to request the Company to delete their Personal Data in certain circumstances such as where the Data Subject has withdrawn their consent to the collection, use or disclosure of their Personal Data and the Data Controller no longer has the power according to law to collect, use or disclose such data.
    • Right to object and restriction A Data Subjects has the right to object to or restrict the processing of their Personal Data for certain reasons such as their Persona Data received using an illegal practice etc.
    • Right to data portability:
    However, the Company may refuse the exercise of the above rights by the data subjects, provided that the rejection is in accordance with the Company’s rules that are not in violation of the law, especially when it is necessary to use the Personal Data in obtaining the right to exercise acclaim according to the law or to practice by law.

    The Company provides a channel through which Data Subjects can contact the Company to make requests to exercise the above rights. In case that the Company rejects a request, it shall notify the Data Subject of the reason for the rejection.

    The Data Subject has the right to file a complaint if the Data Controller or the Data Processor, including its employees or service providers violates the PDPA, or notifications issued in accordance with the Act.
  11. Personal Data Security
    The Company has established appropriate personal data security measures to prevent the loss of unauthorized and unlawful access to, and the use, modification, correction, or disclosure of Personal Data in accordance with the Company's policies and procedures for information security.

    If the Company engages an agency or a third party to perform work related to the collection, use or disclosure of Personal Data, then it requires such agency or the third party to keep the Personal Data confidential, secure, and prevent the collection, use or disclosure of such Personal Data for any purposes other than as specified in the scope of engagement or any unlawful purposes.
  12. Policy review and improvement
    The Company shall review and update this Privacy Policy as and when it deems necessary to reflect the Company’s practices, regulations, and relevant law. The Company reserves the right not to inform changes of this Privacy Policy to the Data Subjects individually but will post up-dates of this Privacy Policy on its website as soon as possible after such change is made.
  13. Contact Channel
    Data Subject has any questions about this Privacy Policy, or would like to exercise their right according to the PDPA, then they should contact:
    Data Protection Officer
    Bangkok Chayoratn Co., Ltd. /Bangkok Chayolife Co., Ltd.
    25 Bangkok Insurance/Y.W.C.A. Building, 10th Floor, South Sathorn Road, Tungmahamek, Sathorn, Bangkok. 10120
    Telephone: 02-285-7575