Personal Data Protection Policy

Personal Data Protection Policy

Pacific Cross Health Insurance Public Company Limited

         As the Pacific Cross Health Insurance PCL. (herein referred to as the Company), we are an insurance company with insurance expertise to health, accident and travel insurance. We understand the importance of personal data protection of data subjects, customers and persons who involved with the Company’s business which is a fundamental right to privacy of the person. We wish to provide the security standards to protect any information details of data subjects, customers and persons who involved with the Company’s business pursuant to the Personal Data Protection Act regarding the collecting, use or disclosure (Processing) of the Personal Data and the rights of the data subjects to assure the data subjects. The Company as the Personal Data Controller and/or the Personal Data Processor has thus established this Privacy Policy and Notice the details as follows.

This Privacy Policy and Notice applies to personal data of

            (1) the Company's ordinary customers both as target customers (prospect), current and past customers

         (2) employees, personnel, officers, representatives, shareholders, authorized persons, directors, contacts, agents, brokers and other natural persons who related to corporate clients of the Company both as target customers (prospect), current and past customers and

          (3) natural persons who are not the Company's customers who have transactions or activities or have relationships with the Company, such as external service providers, business partners, contract parties or shareholders of the company, etc.

Hereinafter if not specifically referred to (1) to (3) the persons under (1) to (3) are collectively referred to as “Personal Data Subject”

Clause 1 Definitions

          “Person means a natural person.“

          "Personal Data means any information relating to a Person, which enables the identification of such Person, whether directly or indirectly. The Company may collect, use and/or disclose of the personal data of the data subject that obtained directly from the data subject (such as the Company's registration platform) or obtained or accessed from other sources (such as the Insured, Department of Business Development, Ministry of Commerce, Department of Provincial Administration, Ministry of Interior, Department of Consular Affairs, Ministry of Foreign Affairs, Credit Information Company, Legal Execution Department, Financial Institutions, Professional Consultants, Social Media, Third Party Online Platforms or other public sources), or through our affiliates, service providers, business partners, an official agency or a third party such as a transport company.“

         “Sensitive Data means an information that is the person's actual privacy but there is a subtlety and may risk unfair discrimination such as race, ethnicity, political opinions, belief in a cult, religion or philosophy, sexual behavior, criminal records, health information, disability, trade union information, genetic information, biological information or any other information which affects the Data Subject in the same way as announced by the Personal Data Protection Committee.“

         “Data Subject means a Person who owns the personal data but this is not the case when the individual owns the data (Ownership) or is the creator or collecting such information, and does not include a “Juridical Person” established by law such as a company, association, foundation or any other organization.“

         “Data Controller means a Person or a juristic person having the power and duties to make decisions regarding the collecting, use, or disclosure of the Personal Data.“

         “Data Processor means a person or a juristic person who operates in relation to the collecting, use, or disclosure of the Personal Data pursuant to the orders given by or on behalf of a Data Controller, whereby such Person or juristic person is not the Data Controller.“

         “Cookies means text files or pieces of information stored on a computer or mobile device (such as a smartphone or tablet) when visiting websites.“

         Whereas the Company operates in relation to the collecting, use, or disclosure (processing activities) of your personal data under the following principles:

         • Legality, Fairness and Transparency: The Company will process data only for the Company has a lawful basis support and the Company will clearly determines the methods for collecting and using  personal data.

         • Purpose Limitation: The Company will process data only for the purposes that specified and notified at the time the Company receives personal data only unless it is a processing for related purpose or clear legal duties.

         • Data Minimization: The Company will collect and use personal data only as necessary to achieve the purposes of data processing.

         • Accuracy: The Company will undertake reasonable steps to provide the personal data that the Company stored is accurate, complete and current with regard to the purpose of processing.

         • Storage Limitation: The Company will keep the information as needed unless there is required to keep pursuant to the standards of document retention or the state regulations.

         • Integrity and Confidentiality: The Company will provide appropriate technical and administrative measures to ensure that personal data collected by the Company is maintained at an appropriate level of security.

         • Accountability: The Company will undertake the appropriate action to be able to demonstrate that it has complied with the above principles.

Clause 2 Personal Data that the Company collect, use and/or disclose

            The personal data that the Company may collect, use and/or disclose can divide in 2 types as follows:

            (1) General Personal Data

                 The Company may collect, use and/or disclose general personal information as follows:

a) Contact information such as address, telephone number, mobile number, fax numbers, e-mail addresses and other electronic communications, identification numbers (Policy Numbers) with the Company including the information of the data subject's attorney or the authorized person on behalf of the owner of such information is a Juristic Person.

b) Financial information and information related to transactions with the Company, such as income, expenses, information of assets, premium payment or debt payment, service usage information and the company's product, policy number and type, bank account number and type, policy history, claims record, trading history and balance, payment history and transactions, salary, tax information.

c) Visual and audio information in contacting the Company such as video recording from CCTV or via online communication or other electronic channels of the Company.

d) Other personal data obtained in connection with the Company such as data obtained from the data subject who is attending events, meetings, training seminars or social events with the company, beneficiary of the insurance policy.

e) Usage data or services, such as data of the data subject's use on website, platform, cookies, Insurance application form, claim form and information related to your claim, information details of the products and services that you specified as interested or has bought from the Company.>

f) Your personal information which enables your identification such as first name,
last name, national ID card number, passport number, driver's license number, date of birth, occupation and photograph.

           (2)  Sensitive Data

         means an information that is the person's actual privacy but there is a subtlety and may risk unfair discrimination such as race, ethnicity, political opinions, belief in a cult, religion or philosophy, sexual behavior, criminal records, health information, disability, trade union information, genetic information, biological information or any other information which affects the Data Subject in the same way as announced by the Personal Data Protection Committee.

         The Company collects and processes the Sensitive Data from you based on the lawful basis of personal data protection according to Section 26 to undertake such data collection without request for consent. However, if there are cases that the Company is required to collect such personal data other than those authorized by law, the Company will request your explicit consent before proceeding the collecting, processing of such personal data.

         In the event that the data subject does not provide personal data or provide an inaccurate or out of date of the personal data to the company, this may affect the data subject who may not be able to transact with the company or may not be convenient or unable to comply with existing contracts with the Company and may cause damages or lose opportunities to the data subject and may affect compliance with any laws that the data subject or the Company must comply.

Clause 3 The Source of your Personal Data

         The Company will collect your personal data through the following channels:

3.1 Personal data that you have provided to the Company directly

            Generally, the Company will directly collect the personal data from you. This usually arises from your communication with the Company for inquiries, comments, feedbacks or complaints through the website, application, telephone, e-mail, various any the Company’s request forms to order products or hire or use services from the Company and enter into contracts with the Company, offer to sell products or hire or provide services to the Company and entering into contracts, participating in marketing activities or other activities, etc.

3.2 Personal data that the Company automatically collects from you.

                The Company may collect certain technical information of devices, activities and traffic patterns or your automatic browsing history information.

3.3 Personal data held by the Company received from outsiders.

          The Company may occasionally obtain your personal data from third party such as from the insurers, job applicants, employees, agents, brokers, hospitals, public sources, resources of your business or commercial resources whether you provide personal data by yourself or has given consent to anyone to disclose your such personal data to the company's service providers or government agencies.

Clause 4 the Objectives which the Company Collects, Uses and/or Discloses Personal Data

           The Company operates in relation to collects, uses and/or discloses your personal data for the previous purpose prior to the effective date of the Personal Data Protection Act as follows:

4.1 Objectives that the Company undertake in accordance with rules or lawful basis in processing of the personal data

            The company may rely on rules or the following lawful basis for collecting, using and/or disclosure personal data, that is:

4.1.1 It is necessary for the performance under the contract for entering into or comply to  contracts with the data subject.

4.1.2 It is the duties to comply with the law.

4.1.3 It is necessary for the legitimate interests of the Company and outsiders to balance the interests and fundamental rights and freedoms in relation to the protection of the personal data of data subjects.

4.1.4 For the prevention or suppression of danger to life, body or health of a person.

4.1.5 Public interests for the performance of duties in carrying out missions in the public interest or performance of duties in the exercise of state power, the company will rely on the criteria or the lawful basis in (4.1.1) to (4.1.5) above for the collecting, use and/or disclosure of personal data for the following purposes:

  • Contacting to the Data Subject before entering into a contract with the Company or operates upon the request of the data subject.
  • Relationship management between the Data Subject and the Company and management of accounts that the data subject has with the Company.
  • Resolution of the data subject’s complaints, managing or investigating any complaints, claims or disputes related to products or services.
  • Prevention, detection and investigation of fraud, misconduct or unlawful activities whether requested by government agencies or regulators or not, and analysis and risk management.
  • Compliance with various laws related to the Company's business operations such as insurance laws, anti-money laundering laws, tax laws, rules, regulations, guidelines, orders, advice and requirements from government agencies, tax agency, law enforcement agencies, other agencies or regulators (whether in the country or abroad), such as the Revenue Department, Social Security Office, Department of Labor Protection and Welfare, Office of Insurance Commission, Legal Execution Department, Student Loan Fund, Department of Skill Development , Ministry of Commerce, Ministry of Labor, etc.
  • Contacts, notifications, reminders to pay the premiums due, claims or enforcing legal or contractual rights, transfer of rights and/or duties, debt collection, financial audit by auditor or obtaining services from legal advisors.
  • Compliance with the Company's obligations under any contracts which the Company is a party, such as a contract with service providers, any person or juristic person, or under contracts in which the Company acts as an agent and/or broker, etc.
  • Audio recordings or visual and/or sound record, Digital Video Recorder on CCTV for verification of data subjects transacting with the Company, the use to improve or develop the Company's services, data subject complaint, handling or Company security
  • In the event that the Company will process your personal data in such manner and/or for purposes inconsistent with the purposes stated above, the Company will provide a policy or additional privacy notices and/or send a letter to you for explaining the processing of such data. You should read the policy or additional announcements related to this announcement and/or the aforementioned letter (depending on the case).
  • You agree not to deliver any data that is incorrect and/or misleading to the Company and you agree to notify the company of any inaccuracies or changes of that data. The Company reserves the right to request delivery of any additional documents to verify the data that you have provided to the Company, and the Company considers as appropriate.
  • If you have provided personal data of a third party to the Company, emergency contact, referring persons and persons giving referrals, such as name, surname, address, telephone number, family income, and personal information and other contact information in an emergency, fill out an application, or transact with the Company. You certify that such information or data is lawful. Please inform aforementioned persons of this privacy policy and/or get consent from them.

4.2 Objectives for which consent is required by the Company

            The Company relies on the consent of the data subject as follows:

a)   Marketing communicationsoffering a special offer, promotional materials related to products and services or offering financial options or investment to the data subject which the Company cannot rely on any rules or other lawful basis.

b)   Collecting, using and/or disclosure of sensitive data of the data subject besides the lawful basis.

c)   The transfer of the data subject's personal data to the countries that not have an adequate level of data protection.

Clause 5 Disclosure of the Personal Data

         To carry out the purposes stated as specified in this privacy policy and notice. Your personal data  may be disclosed or delivered to the departments in the Company or person or external agencies as follows:

5.1 Internal Disclosure

            Your personal data may be disclosed or delivered to the departments only relevant to such the personal data and only to the roles and responsibilities with necessary for the purposes, the person or staff of the Company will be permitted to reach your personal data as necessary and appropriate.

•   Sale officers or other department officers who only relevant by set the access rights according to the roles and responsibilities.

•   Executive officers or your direct supervisor who responsible for managing or make decisions about you or when it has to involve with Human Resources procedures.

•   Various departments or support teams such as People, Sales, Customer management, Accounting, Product and Design, and IT, etc.

5.2 External Disclosure

            Your personal data may be disclosed or deliver to external organizations as follows:

5.2.1    Government Agencies, Regulators or Other Agencies as Required by Law, such as the Revenue Department, Social Security Office, Department of Labor Protection and Welfare, Legal Execution Department, Student Loan Fund, Department of Skill Development, Ministry of Commerce, Ministry of Labor or any other agency by virtue of law.

5.2.2    Organizations or Third Parties: The Company may disclose your personal data to organizations or third parties who contacts, inquiries, requests for audit purposes of your transactions and in order to provide services or provide products according to your needs, such as agents, brokers, reinsurers, hospitals, provident funds, successors, heirs, legal representatives or executors or guardians or custodian, contractors or processors.

Clause 6 Lawful Basis for Processing Personal Data

         The Company processes the personal data on the lawful basis of the Personal Data Protection Act pursuant to Section 24 as follows:

6.1 Consent, in the case of there is no any other lawful basis for the exercise of such action, your consent must be obtained first.

6.2 Archives/Statistic/Research, to achieve objectives relating to the preparation of historical documents or archives of the public interests or relating to research or statistics which have provides for appropriate safeguards to protect your rights and freedoms.

6.3  Vital Interests of life, to prevent or suppress a danger to life, body or health of a person.

6.4  Contract, it is necessary for the performance of the contract which you are a party or using in the processing of your request before entering into the contract.

6.5  Public Interest, it is necessary for the performance of duties in the public interest of the Data Controller or performing duties in the exercise of state powers given to the Controller of Personal Data.

6.6  Legitimate Interests, it is necessary for the legitimate interests of the data controller or the person or the other juristic person which is not the data controller unless such benefits are less important than the fundamental rights in the personal data of the data subject.

6.7  Legal Compliance, it is a compliance with the legal requirements of the Data Controller.

If it is the sensitive data, it pursuant to the rules under Section 26 of the Personal Data Protection Act 2019 which requires consent unless there are exceptions by law.

Clause 7 Using of Cookies and/or Similar Technologies

         The company may collect and use cookies to store websites access information such as date, time, clicked links, pages visited, various setting conditions by saved to your devices, computers and/or accessed   communication devices such as laptops, tablets or smartphones via a web browser while you enter the website. 

         Cookies will not harm your devices, computers and/or communication devices. In the following cases, your personal data may be collected in order to enhance your experience of using the online services by remembering the uniqueness of the language and customize usage according to your needs to confirm the unique characteristics, your security information including such services that you are interested. Moreover, Cookies are also used to measure the amount of access to online services.

         Modifying of content will be based on your previous and current accessed online information behavior and may have advertising and public relations purposes that you can learn more details from “Cookie Policy” of the company. (https://www.pacificcrosshealth.com/cookiespolicy/)

Clause 8 Sending or Transferring your Personal Data Abroad

         The Company may send or transfer your personal data to other countries for:

8.1 Reinsurance

8.2 Headquarters and oversea branches

           The Company have operated in accordance with the rules for protection of the personal data sent or transferred to other countries that the Personal Data Committee has announced unless in the following cases:

8.2.1    It is to comply with the law that requires the Company to send or transfer the personal data abroad.

8.2.2    The Company has notified and obtained your consent, in the event where the destination country has inadequate standards of the personal data protection. This is  according to the list of countries announced by the Personal Data Protection Committee.

8.2.3    To prevent or suppress a danger to your life, body or health, or of other persons when you are unable to give consent at that time or to carry out a mission in the public interest.

Clause 9 Retention and Retention Period of Your Personal Data

9.1 The Company will store your personal data for as long as necessary, taking into account the necessity and purpose that the Company shall collect use and process. This includes complying with applicable legal requirements.

9.2 The Company will continue to collect, use and disclose your personal data as necessary, even if you terminate your relationship with the Company as required by the provisions of the law for the legitimate interest or collecting it in pattern that makes it non-identifiable either directly or indirectly, such as “Anonymous Data” or “Pseudonymous Data that is made no longer personally identifiable by means of technical methods” (Pseudonymous Data)

9.3 The Company may keep your personal data as long as it is necessary to achieve the purposes of processing your personal data as specific in this Privacy Notice. The Company will keep your personal data
no more than 10 years from the date you terminate the relationship or the last contact with the Company. The Company may retain your personal data for longer than the period specified above if required to if comply with the law.

9.4 The Company will conduct investigations to delete or destroy the personal data, making it impossible to permanently identify the data subject or otherwise to limit all personal data after the retention period has expired or irrelevant or beyond the necessity of the purpose of collecting such personal data or when the Company has to comply with your request for the company to delete your personal data.

Clause 10 How does the Company Protect Your Personal Data?

         The Company prioritizes the security of your personal data as the first priority, such as encryption, restriction of access to the personal data, to ensure that our personnel and third parties who acting on behalf of the Company comply with the appropriate standards of personal data protection which this includes the obligation to prevent data leakage and the Company will take appropriate security measures in relation to the data processing.

         The Company will carefully keep your personal data in accordance with the Technical Measure and Organizational Measure, to maintain appropriate security of the data processing and prevent personal data breaches. The Company has determined policies, rules and regulations for the personal data protection including measures to prevent recipients of Company’s data using or disclosing such data beside the intended purpose or without authority or illegal, and the Company has improved this policy, rules and regulations periodically apply as necessary and appropriate. In addition, executives, employees, contractors, agents, consultants and recipients of data from the Company have duties to maintain the confidentiality of personal data in accordance with the confidentiality measures set by the Company.

         The Company has reviewed, regularly updated the procedures and security measures of the Company's personal data in order to obtain a level of security of personal data appropriate to the risks and ensure the confidentiality of personal data, integrity, availability and flexibility of the processing of personal data continually, including protection against loss and collection, access, use, modification, alteration or disclosure of personal data without permission. In order that, the company will take various measures about the personal data protection applies to all types of data processing whether in electronic or document.

Clause 11 Your Rights Under the Personal Data Protection Act 2019

         The Personal Data Protection Act 2019 aims to make your personal data more in your control, by you can exercise your rights under the Personal Data Protection Act 2019 which you have the right to exercise as the following:

11.1  Right to Revoke Consent

         If you have given consent for the Company to collect, use and/or disclose your personal data (whether the consent you provided prior to the effective date of the Personal Data Protection Act or not), you have the right to revoke your consent at any time throughout the period that your personal data is with the Company unless there is a limitation on the rights by law or there is a contract that benefits you.

         However, revoking your consent may affect you from using the product and/or services, for example, you will not receive new benefits, promotions or any offers, will not receive the products or services that are better and relevant with your needs or will not receive useful information, etc. For your benefit, you should study and inquire regarding the impact of this before revoking your consent.

11.2  Right to Access

         You have the right to access your personal data and request the Company to make a copy of such personal data for you, includes requesting to disclose the acquisition of personal data in the Company's possession. The Company may refuse your request if accessing and obtaining a copy of the personal data affects the rights and freedom of other persons or when the Company must comply with the law or a court order prohibiting the disclosure of such personal data.

11.3  Right to Rectification

         You have the right to request the Company to correct your personal data to be accurate, current, complete and without causing misunderstandings.

11.4  Right to Restrict Processing

         The right to request suspension of the use of your personal data in any of the following cases:

11.4.1  During the period we verify your request to correct your personal data to be completed  and current.

11.4.2  Your personal data has been collected, used or disclosed unlawfully.

11.4.3  When your personal data is no longer required for retention in accordance with the purposes which we have stated to collect it but you wish to continue keep the data to support the exercise of your legal rights.

11.4.4  At the time when we are proving to you the legitimate grounds for collecting your personal data or to investigate the necessity of collecting, using or disclosing your personal data for public interest due to the fact that you have exercised the right to object such collection, use or disclosure of your personal data.

11.5  Right to Object

         You have the right to object to the collection, use and/or disclosure of your personal data at any time without exceeding the scope that you can reasonably expect.  If you file an objection, the Company will continue to collect, use and/or disclose your personal data only where the Company can reasonably demonstrate by law that it is more important than your fundamental rights or in order to assert legal rights, compliance with the law, legal defending or lawsuits, on case-by-case basis.

         Moreover, you also have the right to object to the collection, use and/or disclosure of your personal data for marketing purposes or for the purpose of scientific research, history or statistics as well.

11.6  Right to Erasure / Right to be Forgotten

         You have the right to delete or destroy your personal data or make your personal data
non-identifiable. if you believe that your personal data has been collected, used and/or disclosed unlawfully or deems that the Company is no longer necessary to retain it for the purposes related to this Privacy Notice or when you have exercised your right to withdraw your consent or exercise the right to object as notified above unless the Company has to comply with the law or claiming rights under relevant laws to retain such data.

11.7  Right to Data Portability

         You have the right to obtain your personal data, in the event that the Company has made the personal data in a format that can be read or used by tools or devices that work automatically, and can use or disclose the personal data by automated means, including the right to obtain the personal data that the company sends or transfers personal data in such form, directly, to other Data Controllers unless it can't be operated because of technical reasons.

         However, your personal data as above must be the personal data that you have given consent to the Company in collecting, using and/or disclosing or it is the personal data that the Company needs to collect, use and/or disclose in order for you to be able to use the products and/or services of the Company according to the wishes of which you are a contracting party with the Company or to process your request before using the Company's products and/or services or other personal data as required by the authorized person under the law.

11.8  Right to Complain

         You have the right to submit a complaint to the person who relevant legal authority. If you believe that the collecting, use and/or disclosure of your personal data is in violation or does not complying with relevant laws.

         If you have concerns or questions about the Company's guidelines regarding your personal data, please contact the Company as details in Clause 14 of this Privacy Policy. However, in the event that there is a reasonable ground to believe that the Company has violated the Personal Data Protection Law, you have the right to submit a complaint to an expert committee appointed by the Personal Data Protection Committee in accordance with the rules and procedures prescribed by the Personal Data Protection Law.

         In the event that the data subject submits a request to exercise their rights under the Personal Data Protection Law. When the company has received such request, it will proceed within the period specified by law. In addition, the Company reserves the right to refuse or not to act in accordance with such requests in cases where required by law.

         The Company has all rights and sole discretion to respond, process or reject your request, your exercise of rights under Clause 11 may be limited under the applicable law and there are some cases where there are necessary reasons that the Company may refuse or unable to proceed with your request to exercise the above rights such as have to obey the law or court order, public interests, the exercise of rights may violate the rights or liberties of other persons, etc. If the Company rejects the above request, the Company will also inform you of the reason for the refusal.

Clause 12 Responsibility of the Data Processor

         The Company has determined that only authorized officers who involved only in the collection, use and disclosure of personal data of the processing activity will have access to your personal data. The Company will ensure that the staff strictly comply with this Privacy Policy.

Clause 13 Changes to the Privacy Notice for Customers

         The Company will regularly review the Privacy Notice for customers in order to comply with the guidelines and applicable laws or regulations. If there is a change to the Privacy Notice for data subjects such as customers, employees, business partners, the Company will notify you of any significant changes to the Privacy Notice, along with the updated Privacy Notice through appropriate channels such as the Company's website. In addition, the Company recommends that you should periodically check for changes in this Privacy Notice regularly.

         By your accessing products or services under this processing activity, the company shall deems that you have acknowledged the terms of this Privacy Notice. However, please stop using if you do not agree with the terms of this Privacy Notice, but if you continue to use it after this Privacy Notice has been revised and posted in the aforementioned channels, the company shall deems that you have been informed of such changes.

Clause 14 Contact Channel

         If you have any suggestions or would like to inquire about the details of collection, use and/or disclosure your personal data, including the request of exercise rights under this Privacy Policy, or the processing of your personal data is inconsistent with the Personal Data Protection Act 2019, you have the right to complain to the Personal Data Protection Officer as follows:

14.1 Data Controller

– Name      : Pacific Cross Health Insurance Public Company Limited

– Address   : 152 Chartered Square Building, 21st Floor, Room 21-01, North Sathorn Road, Silom, Bangrak, Bangkok 10500

 – Email      : contactus@th.pacificcrosshealth.com

14.2 Data Protection Officer: DPO

– Name      : Khun Jindarat Asawawuttisak

– Address   : 152 Chartered Square Building, 21st Floor, Room 21-01, North Sathorn Road, Silom, Bangrak, Bangkok 10500

– Email       : thdpo@th.pacificcrosshealth.com

Clause 15 Governing Law

         You acknowledge and agree to this Privacy Notice. It is governed and construed in accordance with Thai law and the Courts of Thailand shall have jurisdiction any disputes that may arise.

                                                                                   

Revised Edition 1,
announced on 30th October 2023


 

Contacting the Company

If you have comments, suggestions, questions, complaints or wish to exercise your rights in relation to the Personal Data Policy, you can contact Personal Data Protection Officer (DPO)

Pacific Cross Health Insurance Public Company Limited
152 Charter Square Building, 21st Floor, Room 21-01, North Sathorn Road, Silom, Bangrak, Bangkok 10500
8:30 a.m. to 5:30 p.m. (Monday to Friday)
Email: thdpo@th.pacificcrosshealth.com