The Company collects your personal data in relation to your relationship with the Company and who have chosen to provide such personal data to the Company. This includes the following information:

1. Your personal data that makes it possible to identify you, such as your name, surname, ID card number. Passport number, driver’s license number, date of birth, occupation and photograph.
2. Your contact information such as address, telephone number, email address and social media accounts.
3. Personal information of third parties that you have provided to the Company in the form of requests or any document or provide in connection with the request, purchase, acceptance or use of the Company’s products or services, such as the name, address and contact information of your beneficiaries, your family members and/or your dependents, etc.
4. Your insurance request, claim request and information about your claim details about the products and services that you have purchased from the Company.
5. Your financial information such as salary, income, tax information, bank account details, credit/debit card details, loan details, investment information and payment details.
6. Working information including personal information of those you have provided to the Company about your past and present work.
7. Details about the products and services that you indicate your interest in or bought from the company such as a type of insurance policy, policy number, insurance premium amount, coverage limit according to the policy, payment details, payment method and payment history.
8. Cookies or small computer files that store your personal data on your computer; and
9. Other personal data that you have given to the company through various channels.

The Company requests that you refrain from submitting information which may be classified as sensitive personal data under the Personal Data Protection Law, unless such information is required by law or to the performance of the contract and for the purpose of the contract between you and the Company or your request that has been sent to the company before entering into that contract.
Sensitive personal data held by the Company collected in connection with the relationship between you and the Company and the information that you have chosen to provide or need to provide to the Company includes the following information:

1. Health information, medical information or medical treatment.
2. Ethnics or race.
3. Sexual preference or orientation.
4. Membership of a political organization.
5. Criminal history and prosecution.
6. Religious or philosophical beliefs.
7. Genetic information; and.
8. Biometric information.

The Company will collect, use, disclose or process your personal data in a lawful manner and necessary for a specific purpose, as well as specifying some legitimate reasons to process your personal data. This will depend on the type of personal data that the company processes.

The Company will process personal data only where required or permitted by law for services/products specified in the contract to prevent danger to life, body and health in the case of the Company’s legitimate interests or in the event that the company obtains your permission (consent).

1. Legal Compliance
   The Company will process your personal data to the extent necessary for the performance of its legal obligations such as insurance laws, Anti-Money Laundering Laws, Tax Laws, Personal Data Protection Laws.
2. Contract
   The Company will process your personal data where it is necessary for the performance of the contract to which you are a party or to process your request before entering into a contract.
   The processing of your personal data will be in accordance with the agreement between you and the Company for the following reasons.
   • 2.1 Provide you with goods and services and to administer, operate, maintain, manage and use such services and goods, including but not limited to insurance products, financial or other products of the Company.
   • 2.2 Process, evaluate and consider any underwriting or requests your concerning services or products of the Company that issuing or making insurance contracts and keeping your account with the Company.
   • 2.3 Take steps and carry out instructions for payment.
   • 2.4 Determine the amount of debts you owe or have to be paid to you, charge or request any amount that you or any person which is the collateral or pledge of your obligations to pay; and,
   • 2.5 To exercise any rights that the Company may have in relation to the products and/or services that the Company provided to you and,
   2.6 For any purpose in connection with any claims you have or claims against you or by anything else related to you in respect of any products and/or services that the Company has provided to you including but not limited to soliciting, defending, analyzing, reviewing, processing, evaluating, determining, negotiating, resolving or ending such claims.
3. Life-crucial benefits
   The Company will process your personal data by adhering to the principles of life-crucial benefits to prevent or avoid harm to a person’s life, body or health.
4. Righteous interests
   When considering the benefits, your rights and freedoms, the Company may process your personal data under the legitimate interests of the Company or outsiders up to the following:
   • 4.1 Comply with obligations, policies or procedures for providing information and/or use of information in accordance with the Company’s project to comply with various enforcement measures or to prevent or detect money laundering providing financial support for terrorism, fraud or other crimes including illegal activities.
   • 4.2 To fulfill contractual obligations or other obligations either now or in the future with the legal authorities, regulatory agency, government, tax, law enforcement or other agencies and self-regulatory organizations or industry organizations such as the Council or Association of Insurance Companies in Thailand or other jurisdictions.
   • 4.3 Meet the obligation to disclose information as required by laws, rules, regulations and codes of conduct or various guidelines (Applicable whether within or outside Thailand) binding the Company or companies which is under the control of the Company, partner companies, including but not limited to disclosure to legal entities, regulatory agencies, government agencies, tax authorities, law enforcement or other agencies and self-regulatory organizations or industry organizations such as the Council or Association of Insurance Companies in Thailand or other jurisdictions.
   • 4.4 For internal management, preparation of internal information reports, accounting, accounting audit and complaint management.
   • 4.5 Establish and maintain credibility related to risk.
   • 4.6 Security and business continuity; and,
   4.7 For any purpose relating to various claims you have or claims against you or by anything else related to you in respect of any products and/or services that the Company has provided to you including but not limited to soliciting, defending, analyzing, reviewing, processing, evaluating, determining, negotiating, amending or ending such claims.
5. Consent
   In addition to the various legal bases above, the Company may process your personal data with your consent. The company will ask for your consent only if the company has no other legal base for the Company to be able to process your personal data especially in the case of the Company’s processing activities that may affect sensitive personal data which if your consent is required, the company will specify clearly in order for you to confirm your decision to give consent to the Company. If the Company is unable to provide products and/or services to you because you do not consent to the company in processing your personal data, the company will clearly inform you at the time that the company ask for your consent.

1. 1. Designing insurance products for customers, including analyzing, improving services and products.
   2. Reviewing the coverage of your existing policy and analyzing its needs.
   3. Operate, maintain and provide services related to requests for services and/or products.
   4. Validate and check qualification, reliability, physical examination, health check, stability, underwriting consideration and/or verifying identity for the purpose of providing services or products.
   5. To provide you with various products and services and to manage, operate, maintain, manage and use such services and products, including but not limited to insurance products of the company in the event that the company is necessary to process your sensitive personal data.
   6. Identify and provide information about services, products or activities that may be of interest to you or that you may be interested in.
   7. Analyze data, research and opinions and suggestions and feedback for the development, creation and operation of the company’s business model including products, services and systems that will help the Company can provide services to a higher standard or increase the benefits for you.
   8. For internal management, preparation of internal information reports, accounting, accounting audit, management of complaints or claims in the event that the company is necessary to process your sensitive personal data; and,
   9. Offer you different services and products or any proposition

In addition, in the event that the data owner is a minor, incompetent person or quasi-incompetent person, the Company must obtain consent from a legal representative, parent, guardian or custodian.

The Company may need to disclose personal information to the organization or other agencies in the event that a third party is located in a jurisdiction that does not provide the same level of protection for your personal data. The Company will conduct appropriate due diligence and to ensure that there is an agreement which has reasonable contractual clauses to protect your personal data after the transfer, the Company may transmit your personal data to third parties as follows:

• The Office of Insurance Commission (“OIC”)
• Anti-Money Laundering Office, Revenue Department
• Thai General Insurance Association and/or the agency assigned to collect statistics and calculate premiums.
• Reinsurers and/or co-insurer
• Financial institutions or financial service providers.
• Service providers who have been assigned by the Company to act on behalf of the insurance risk survey, compensation agreement, legal proceedings, audits and other work related to insurance contracts; or,
• Financial or legal entities in connection with the merger, domination or the sale of all or most of the Company’s business to or to other companies.

The Company will retain personal data for the period necessary to perform the purposes stated in this Policy, for which the standard expected period of collection is 10 years, unless necessary or permitted according to the law, the retention of personal data is longer than that (but not limited to) as follows:

1. 1. Keep as long as the company still maintain relationship with you.
   2. Store as needed according to the Company’s rules and/or,
   3. Retain as advised as to the legal status of the Company (for example, in accordance with the applicable statute of limitations) litigation or defense or various inspections as required by law)

The Company will delete your personal data after the retention period of the Company has expired. However, the retention period for personal data in such general cases may differ depending on the jurisdiction applicable to the contract of the Company and the type of information involved.

Under the Personal Data Protection Law, you have rights which consists of:

1. Right of access to information: You have the right to access and obtain a copy of your personal data held by the Company, and you can also request that the Company disclose the source that the company get your personal information which you did not give consent.
2. Right to data transfer: In some cases, you have the right to request that the Company transfers your personal data to other individuals/organizations or ask to see personal information that the company has been transferred to another person/organization.
3. The right to object to the processing of your personal data: In some cases, you have the right to object to the processing of your personal data unless there is a cause that prevents you from objecting such grounds may include statutory grounds or where the processing of your personal data is required for compliance for the exercise of rights or defending legal claims or in the public interest.
4. Right to request deletion of data: In some cases, you have the right to request that the Company delete or destroy your information or make your information non-identifiable in the following cases:
   • 4.1 Personal data is no longer necessary for the purposes for which it was collected, used or disclosed.
   • 4.2 You withdraw your consent to collect, use or disclosure, and the Company has no longer any legal grounds to collect, use or disclose personal information.
   • 4.3 You object to the collection, use or disclosure of personal data and the Company has no legal grounds to refuse the request and/or,
   4.4 When personal data has been collected, used or disclosed legally under the Personal Data Protection Act.
5. Right to restriction of processing of your data: You have the right to request that the Company in handling your personal information in the following cases.
   • 5.1 Personal data is undergoing verification to verify that it is accurate, current and complete.
   • 5.2 Personal data should be deleted or destroyed because it does not comply with the law but you ask that only to limit the use.
   • 5.3 Personal data is no longer necessary for the purposes for which it was collected, used or disclosed but you need to request data retention in order to establish legal claims including the execution of claims, the use or defense of legal claims.
   5.4 The Company is pending confirmation of the correctness of the principle of refusing the request for objection to the collection, use or disclosure of personal data.
6. Right to rectification of information: You have the right to request that inaccurate personal data be corrected to make it accurate, current, complete and not misleading.
7. Right to submit a complaint: You have the right to file a complaint with the Personal Data Protection Committee in the event that the Company Data processors, employees, do not comply with the Personal Data Protection Act or other announcements under the Personal Data Protection Act.
8. Right to withdraw your consent: You can request to withdraw your consent at any time except the company has legal grounds to reject your request.

If you (1) refuse to provide some personal information that the Company notify you that it is necessary information for the performance of any law or contract or is personal data that is necessary for entering into a contract; or (2) not giving consent or denying consent to the Company to collect, use or disclose certain personal data; or (3) exercise your right to withdraw your consent to the collection, use, disclosure, transfer or processing of certain personal data which is necessary for the Company’s relationship with you or necessary to provide the service and/or the Company’s products to you may cause the Company to failure to comply with your request regarding the Company’s products or services or enter into a contract with you or perform duties under the contract that the company made to you or can contact you.

The company has measures by taking reasonable steps to ensure that your personal information is kept safe without unauthorized access or disclosure. This includes steps to ensure that your personal data is properly stored and that it is protected from misuse and there will be no loss resulting from access, unauthorized modification or disclosure. These steps include the type of system and communication security measures. This includes keeping the originals safe. In addition, your access to your personal data will be limited to those who have a legitimate business need for access to it. Although the company will take steps to protect your personal information, you should be aware that no system is safe from attack and no information on the internet is perfectly safe. Therefore, the Company cannot guarantee the security of the information you submit or received via the internet, the Company therefore asks you to send information via e-mail when the Company request only.

The company reserves the right to change, amend or update this Personal Data Policy at any time as the Company deems appropriate and the Company will notify any changes, amendments or updates for you to know on the company’s website or any other channels that the company will notify.
If the policy change will have a significant impact on the nature of the Company to collect, use or disclose your personal information or has a significant impact on you, the Company will notify you in advance for a sufficient period of time to give you the opportunity to exercise your rights in relation to personal data as stated in the section “Your rights” under this policy.

If you have comments, suggestions, questions, complaints or wish to exercise your rights in relation to the Personal Data Policy, you can contact Personal Data Protection Officer (DPO)

Pacific Cross Health Insurance Public Company Limited
152 Charter Square Building, 21st Floor, Room 21-01, North Sathorn Road, Silom, Bangrak, Bangkok 10500
8:30 a.m. to 5:30 p.m. (Monday to Friday)
Email: thdpo@th.pacificcrosshealth.com