Good Corporate Governance
Personal Data Protection Policy
1. Purpose
This Personal Data Protection Policy aims to provide a framework for overseeing the protection and security of the Company's personal data and to support the Company's strategy in managing personal data to create positive business results. It establishes guidelines for the management of personal data under the Company's control, including the secure collection, record, use, and disclosure of personal data, as well as the prevention and remedy of damages resulting from violations of the privacy rights of data owners. This is in accordance with personal data protection laws and international standards.
2. Scope
This policy applies to the Company’s personnels and those related to the Company, including but not limited to life insurance agents, financial advisors, brokers, partners, external service providers, etc. Those individuals must study and strictly follow this policy. Any violation may be subject to punishment according to the Company’s policy and /or law punishment, including termination of business relationship.
3. Effective Date
This policy shall be effective from the date of approval by the Board of Directors.
4. Review Frequency and Revision
This policy must be reviewed annually, or when a significant change arises.
5. Responsible Function
The PDPA Governance Committee (PDPAGC) is the responsible function of this policy.
6. Definition
“The Company“ means Bangkok Life Assurance Public Company Limited.
“Subsidiary“ means companies in which the Company holds shares directly or indirectly over 50% of voting shares.
“Personal Data“ means data related to an individual that can identify such individual, whether directly or indirectly. Personal data is classified into two types; general personal data and sensitive personal data.
“Data Subject“ means an individual whom personal data can identify such individual’s identity, such as customers, employees, directors, life insurance agents, financial advisors, etc.
“Personal Data Protection Laws“ means Personal Data Protection Act B.E. 2562, and legislations issued under such act; including other enforcement laws related to personal data protection.
“Breach of Personal Data“ means violation of security measures that leads to destruction, loss, access, usage, change, modification, or disclosure of personal data without authorization or illegally.
7. General Principle
The Company recognizes the importance of personal data and the privacy of data subjects. In the rapidly changing technological landscape and the transition to a digital society, the Company is committed to and prioritizes the protection of personal data and the prevention of data breaches related to the Company’s control. Therefore, the Board of Directors deems it appropriate to establish this Personal Data Protection Policy.
8. Requirement
8.1 Personal Data Protection Principles
The Company collects, records, uses, and discloses personal data in accordance with “Personal Data Protection Principles” under personal data protection laws, which are in line with international standards. In case of no specification under personal data protection laws or this policy, the Company will process personal data as per principles as follows;
| 8.1.1 | The Company honestly, transparently, and verifiably collects, records, uses, and discloses personal data under purposes that it can proceed legally. (Lawfulness Fairness and Transparency) |
| 8.1.2 | The Company processes personal data under specified purposes only. The purposes are legal and informed to data subjects before or while the personal data is processed. (Purpose Limitation) |
| 8.1.3 | When the Company collects personal data, it collects related personal data as needed to appropriately achieve specified purposes on personal data processing. (Data Minimization) |
| 8.1.4 | The Company has appropriate processes for making personal data under its supervision accurate, current, complete, ready to be used, and not misleading. (Accuracy) |
| 8.1.5 | The Company’s personal data retention period is in line with its specified purposes and/or legitimate purposes. (Storage Limitation) |
| 8.1.6 | The Company has appropriate personal data security measures in organizational, technical, and physical aspects. (Security) |
| 8.1.7 | The Company has measures in place to ensure that its personnel protect personal data according to the principles. (Accountability) |
8.2 Execution on Protecting Personal Data
The Company specifies frameworks on personal data management, which cover collection, recording, usage, and disclosure of personal data; assessment of risks and impact on using personal data; usage of data subject’s rights; usage of external service; security measures; and handling of breaches, etc.; taking into account the importance of the data subject’s privacy. The frameworks follow international standards and personal data protection laws.
8.3 Training and Raising Awareness
The Company arranges training and raises awareness, so that its personnel and related persons understand personal data protection principles, the Company’s Personal Data Protection policy, and personal data protection laws.
8.4 Monitoring, Evaluation, and Inspection
The Company appropriately governs, monitors, inspects, and evaluates performance under this policy to ensure that standard of internal controls and service provided are effective and in line with related regulations and laws.
9. Penalty
Violation of this policy constitute breaches of the Company’s fundamental requirements and/or the Company’s Code of Conduct for All Personnel. Violators may be subject to the Company’s regulations and/or legal penalties, including termination of business relationships.
