Privacy Policy
Requesting the Exercise of Data subject's Right
MSIG Insurance (Thailand) Public Company Limited (“MSIG") always attaches importance to the privacy and security of the personal data of customers and persons involved in other transactions with MSIG or MSIG’s customers (which is referred to as “the Data Subject" in this Privacy Policy). MSIG therefore, establishes this Privacy Policy for the Data Subject to acknowledge MSIG’s Privacy Policy (“Privacy Policy”) according to the Personal Data Protection Act B.E. 2562 (“PDPA”), and applicable laws and regulations. Under this Privacy Policy, the Data subject will be notified of the collection, use and disclosure of personal data by MSIG, source of personal data collected by MSIG, purpose of the processing of personal data, disclosure of personal data, transfer of personal data to foreign countries, retention periods, the use of personal data for the original purpose, the Information Technology system and personal data security, the rights of the Data Subject, privacy policy updates, and MSIG's Data Protection Officer (DPO) contact.
This Privacy Policy applies to:
Our customers:
• Individual customers: former and existing customers of MSIG who are individual.
• Corporate customers: Directors, shareholders, ultimate beneficial owners, employees, legal representatives of corporate customers including other individuals authorized to act on their behalf.
Non-customers:
Individuals who do not have products or services with MSIG, but MSIG may need to collect, use or disclose the personal data of a Data Subject e.g. policy payers; beneficiaries under an insurance policy; third parties who received compensation; persons that visit MSIG website or applications; branches or offices; ultimate beneficial owners; directors or legal representatives of corporate customers that use MSIG’s services; professional advisors; including directors and shareholders of MSIG; and their legal representatives; and persons involved in other transactions with MSIG or MSIG’s customers.
1. Definition
"Personal Data" means information that makes it possible to identify the owner of personal data, whether directly or indirectly.
"Sensitive Personal Data" means information defined under Section 26 of PDPA, including race, ethnicity, political opinions, beliefs in cults, religions, or philosophies, sexual behavior, criminal records, health or disability Information, labor union data, genetic information, biological information, or any other information that similarly affects the owner of personal data as required by law.
"Personal Data Protection Law" means: The Personal Data Protection Act B.E. 2562 including sub-ordinate regulations enacted and as amended from time to time.
2. Collect, Use and Disclosure of Personal Data by MSIG
The type of personal data and sensitive personal data, which MSIG collects, uses, or discloses (which is referred to as "Processing of Personal Data" in this Privacy Policy), varies on the scope of products and/or services that the Data subject may have used or had an interest in. The type of personal data shall include but not be limited to:
• General personal information such as given name, middle name, last name, gender, date of birth, age, education background, marital status, nationality.
• Contact information such as mailing address, email address, telephone number, fax number, Social Media account.
• Identification and authentication information such as identification card photo, identification number, laser number (back of identification cards), passport Information certificate/alien ID information, driving license, signature.
• Employment information such as occupation, employer’s information and workplaces, position, salary/income/remuneration.
• Financial information such as income, source of income, back account, credit card, debit card, tax information, transaction records, loans, investments, payment history.
• Product and/or services information such as products and/or services purchased by the Data Subject from MSIG or other insurance operators (e.g., insurance policy number, sum insured, changes/transactions related to an insurance policy); Information about insurance policies and claims that the Data Subject currently has with MSIG or other insurance operators (e.g., insurance coverage information, premium payment history, medical information, claims history, including the exercise of rights under the insurance policy or products or other services of MSIG or other insurance operators).
• Market research, market data such as data and opinions expressed when participating in market research or surveys/customer satisfaction.
• Verification information such as due diligence (e.g., information related to customer identification (Know Your Customer/KYC), customer due diligence (CDD), information for monitoring risk management regarding money laundering, counter terrorism and proliferation of weapons of mass destruction financing, information to monitor bankruptcy
• Geographical, devices and software information such as MSIG branches the Data subject contacts, the IP address, cookies, type and browser version, time zone settings, plug-in types in browsers, operating systems and platforms, user profiles, technical specifications, and personally identifiable information (e.g., mobile phone IMEI (International Mobile Equipment Identity) numbers or other unique device identifiers and any details about the mobile phone).
• User login, subscription data and profile details such as login data for using MSIG's system, transactions with MSIG through the Internet network and applications.
• Security information such as images, personal descriptions, suspicious detections or unusual transactions, photos, or video records through CCTV cameras.
• Other information such as records of correspondence and other communications between the Data Subject and MSIG in any form or method, including but not limited to telephone, email, text messages, conversations and social media communications, information provided to MSIG by the Data subject through any channels.
• Sensitive personal information such as health information, disability information, genetic information, blood type, criminal records, religion, biometric data (e.g., face recognition, fingerprint, voice recognition, and retina recognition).
3. Source of Personal Data Collected by MSIG
In general, MSIG collects personal data directly from the Data Subject, but in some cases MSIG may obtain the personal data from other sources, in such case MSIG will ensure compliance with the PDPA. Personal data collected from other sources may include but not be limited to:
• When the Data Subject expresses an intent to purchase or use personal insurance, group insurance, and/or when the Data Subject accesses or uses the website or application and/or services online, on mobile devices or by telephone or other services of MSIG ("Products" or "Services").
• When the Data Subject submits documents and applications for purchase or use, or when the Data Subject provides information while considering purchasing or using MSIG's products or services.
• When the Data Subject submits a request for changes or improvements to the products purchased by the Data Subject, or the services used by the Data Subject, or any other requests regarding the products purchased by the Data Subject or the services used by the Data Subject, including the submission of forms and documents relating to MSIG's products.
• When the Data Subject is in contact with the MSIG’s employee, customer service representative, sales representative, non-life insurance agent, non-life insurance brokers, contractors, partners, service providers, delegates person or other persons or other related entities of MSIG (collectively, "Representatives and Partners of MSIG") via the website, application, social media, phone call, e-mail, direct meeting, interview, short messages (SMS), fax, postal mail, or by any other methods.
• When MSIG receives advice regarding the Data Subject or when MSIG collects personal information from its representative and partners.
• When MSIG receives personal information from third parties regarding the Data Subject, including but not limited to obtaining information from the public sources, personal or commercial data sources, websites, social media resources, data providers, medical resources, public health facilities, hospitals, doctors, other health professionals, other insurance operators, associations or confederations of businesses relating to products purchased by the Data Subject or the services used by the Data Subject, application forms for the products purchased by the Data Subject, or the services used by the Data subject, the risk guarantee of the product purchased by the Data Subject, complaints about products and/or products and services of MSIG purchased or used by the Data Subject ("Third Party Sources").
• When MSIG receives personal information from third parties regarding the Data Subject for compliance purposes and for other regulatory purposes, as well as for other legitimate purposes, such as MSIG may obtain personal data of the Data Subject from the Office of Insurance Commission (OIC).
• When MSIG receives personal information from corporate customers as the data subject is a director, authorized person, representative or contact person representing the corporate entity.
• When the Data Subject communicates with MSIG, whether written or verbal communication, regardless of whether MSIG makes contact first or not.
• When the Data Subject sends personal information to MSIG to participate in marketing activities, contest, lucky draw, events, or competitions held by or on behalf of MSIG and/or its personnel and partners. When the Data Subject provides any personal data relating to third parties to MSIG (such third parties include but are not limited to the insured, family members, policy payers, or beneficiaries), the Data Subject must comply with the laws governing the protection of personal data. Whether seeking consent or notifying third parties of this Privacy Policy on behalf of MSIG, the Data Subject represents and guarantees the accuracy of the personal data, as well as ensuring and guaranteeing that the Data Subject has fully informed such person about the details of this Privacy Policy.
4. Purpose of Processing of Personal Data
MSIG will process personal data where it is necessary or lawful required. This includes when MSIG processes personal data based on the connection with an insurance contract or contract execution, the legitimate interests of MSIG, for analysis and statistics, for compliance with laws and regulations, and for other actions as necessary. The purpose of processing of personal data are provided below:
Based on the connection with an insurance contract or contract execution:
• To offer, sell, arrange, operate, follow the procedures, and manage MSIG's products and/or services to the Data Subject.
• To follow the procedures for managing, completing, providing MSIG services or products, and the introduction of appropriate products and services to the Data Subject. compliance with insurance application, management of products purchased by the Data Subject, collecting premiums or outstanding money from the Data Subject, investigation, analysis and processing, payment of claims/benefits under the insurance policy, renewal/revisions of an insurance policy, cancellation of an insurance policy, as well as the exercise of any rights under the insurance policy, including inherited rights (if any).
Base on the legitimate interests of MSIG:
• For the management of MSIG's insurance, such as the design of new MSIG products or services, or the addition of existing products or services of MSIG, reinsurance for MSIG's products or services to the Data Subject.
• To communicate with the Data Subject, including communicating information about the management and other information about the product or any service that the Data Subject may have with MSIG, providing technical support regarding MSIG's websites and applications or communications regarding any changes to this Privacy Policy in the future.
• To prevent fraud, such as investigating or preventing fraudulent activity, concealment of actual statements and other offenses, whether actual or suspected offenses, especially for communication with financial services and insurance operators, as well as for communication with regulators related to MSIG.
• To provide online communication channels, such as to provide the Data Subject with access to content on the Website, applications or social media platforms or specified services. MSIG may process the website/application/social media platform data, for the analysis of websites, applications or social media platforms used by the Data Subject to understand the nature of use that the Data Subject prefers, to arrange for the websites, applications or social media platforms to respond appropriately and specifically to the Data Subject, for assessment or processing and improvement of websites, applications or social media platforms, or MSIG products and/or services, troubleshooting various issues, product recommendations and/ or related services, and advertising arrangements on websites, applications, and other channels according to the target audience.
• For the restructuring of MSIG, such as for the purpose of restructuring MSIG's organization and for the transactions of MSIG, including the purchase or sale of any part of MSIG's business (if any).
• For data management purposes, such as for management purposes, data storage, record, back up, or destroying personal data.
• To develop MSIG's products and services, such as inspections and quality enhancements, as well as training when recording MSIG's communications.
• To comply with MSIG's policies in accordance with the requirements under MSIG's internal policies.
• For sale promotion purposes, such as providing information about insurance products and appropriate services to the Data subject, which may include providing any advice and information of sale promotion activities such as reward/benefit programs for being brand-loyal customers or providing privileges, charitable/non-profit activities, and marketing activities, events, and other activities which the Data Subjects can choose to participate.
For analysis and statistics:
Conducting market research, advanced data analysis and statistical research or actuarial purposes, reporting or evaluation of financial results prepared by MSIG, its Group of Companies, representative and partners of MSIG or regulatory authorities related to MSIG.
For compliance with laws and regulation:
• For compliance with the laws and regulations or the audits of MSIG's business, whether an internal audit or a third party audit.
• To comply with the requirements of applicable laws and regulations, agreements or policies established by the regulators, law enforcement agencies, disputes resolution authorities, the OIC, or the agency that supervises the insurance business
• For the purposes of law enforcement or assistance, cooperation, investigation by MSIG or on behalf of MSIG by the police, competent officers, government officials; or by government agencies or other regulatory authorities in Thailand; and the implementation of duties to report incidents as required by law, or as agreed with government agencies or other regulatory bodies in any country or territory, or under the officers of government agencies’ orders.
• To support the supervision and promotion of the insurance business as specified by the OIC and in accordance with the laws of the Non-Life Insurance business. This includes the Privacy Policy of the OIC (please read more about the OIC’s Privacy Policy at www.oic.or.th).
For other actions as necessary:
For necessary actions relating to any of the above purposes, unless applicable laws and regulations, including the PDPA, allow otherwise, if MSIG wishes to use the personal data of the Data subject for any purpose other than those specified in this Privacy Policy or in addition to the purposes directly related to this Privacy Policy, MSIG will notify and request the consent from the Data Subject.
5. Disclosure of Personal Information
Under the rules of Personal Data Protection Law, MSIG may disclose the personal data of the subject to the following parties in and outside of Thailand:
• Persons who are business partners of MSIG or third parties involved in insurance products offered to the Data Subject or products that the Data Subject may be interested in, such as reinsurance/joint insurance companies, investment management companies, banks, financial institutions, credit rating institutions, policyholders in the case of group insurance products.
• The Person who induces, indicates the opportunity, arrange, offer, sell, distribute or provide products and/or services offered by MSIG, or Group companies, to the Data Subject, such as non-life insurance agents, non-life insurance brokers, including the representative of the corporate brokers.
• Representatives and partners of MSIG who provide services related to the management or processing of personal data, such as services related to business operations, payment services, debt collection; or telecommunications services, technology services, cloud services, recruitment services, call center services, document storage services, data logging services, document scanning services, postal services, publishing services, parcel delivery services by the courier, data analysis services, marketing services, research services, emergency management services, legal services or other services related to MSIG's business operations or management, implementation, compliance with procedures or management of MSIG's products or services to the Data Subject.
• Pre-underwriting service providers such as surveyors, etc.
• Service providers to reimburse claims, such as loss adjuster. car service centers, garages, hospitals, etc.
• Other insurance operators.
• Associations or confederations in the insurance sector, such as the Thai General Insurance Association.
• Affiliate companies, group companies both domestic and foreign.
• Law enforcement agencies, committees established in accordance with the laws, government agencies or regulatory bodies, dispute resolution authorities, or any other person in Thailand, which MSIG or its group companies must disclose information due to legal obligations and/ or compliance with laws and regulations in Thailand, and may include government agencies in the countries where the group companies are located, or due to the agreements or policies between MSIG, group companies and the state, regulatory authorities or other related parties.
• Professional consultants such as lawyers, doctors, auditors or advisor.
• Any person or entity which the Data Subject consents to disclose the personal data to that person or entity.
• The person who enters into a transaction or will enter into a transaction with MSIG when the personal data of the Data subject may be part of the purchase or sale, or part of the offering or selling of MSIG business (if any).
• Any person or entity authorized by applicable laws and regulations.
6. Transfer of personal data to foreign countries
MSIG may be required to send or transfer personal data of the Data Subject to affiliates or group companies; or to other recipients located abroad as part of MSIG's normal business practices, such as sending or transferring personal data to servers or clouds located abroad, the transmission or transfer of such personal data is subject to contractual requirements relating to the confidentiality and security of personal data in accordance with laws and regulations regarding the protection of personal data. In the event that MSIG sends or transfers personal data of the Data Subject to a foreign country, MSIG shall comply with the Binding Corporate Rules approved by the Personal Data Protection Committee (“PDPC”) (if any) or personal data protection standards, which determine appropriate measures to protect personal data sent or transferred abroad (depending on the case).
7. Retention period
MSIG will retain the personal data for no more than 10 years from the end of the insurance contract or from the date of the arbitration's decision or the court's final judgment (depending on the case) unless the law requires MSIG to retain personal data longer than the specified period of time. MSIG may continue to retain personal data of Data subject if necessary, in order to take any action under applicable laws, such as the Establishment of legal claims, compliance or the exercise of legal claims or raising the defense of legal claims. MSIG will delete or destroy personal data or make it anonymized when it is no longer needed or the end of the above mentioned period.
8. Use of personal data for the original purpose
MSIG is entitled to continue collecting and using the personal data of the Data Subject, which has previously been collected by MSIG before the effectiveness of the PDPA in relation to the collection, use and disclosure of personal data, in accordance with its original purposes. If the Data Subject does not wish MSIG to continue collecting and using his/her personal data, the Data Subject may notify MSIG to withdraw his/her consent by contacted MSIG’s Data Protection Officer (DPO) at any time. (Please see more details on MSIG's Personal Data Protection Officer Contact in Article 12).
9. Information Technology System and Personal Data Security
MSIG has information security measures in place and strictly enforces the Information Security (“IS”) policy to ensure the safeguard of personal data. The executives, employees, agents and third parties who receive information from MSIG must comply with MSIG's IS policy, which is regularly reviewed in order to ensure that the information technology system is effective in maintaining appropriate security, as well as setting measures to prevent personal information from being stolen or violated, such as determining the access rights to personal data on necessity basis, installation of computer anti-virus software and fraudulent emails (phishing mails), incorporated confidentiality clause in the agreements so that the contract parties will not use or disclose personal data out-of-scope or without authority, including establishing a personal data breach notification process and monitoring system for deleting or destroying personal data as required by law.
10. Rights of the Data Subject
The Data subjects can exercise their rights under the PDPA as follows:
• Revoke or request to change the scope of consent of the Data Subject provided to MSIG.
• Request to access, obtain a copy, or disclosure of the sources of personal data that the Data Subject does not give consent.
• Obtain personal data of the Data Subject or request to send or transfer their personal data to another data controller.
• Object to the processing of personal data in the following cases:
- If personal data is collected without consent according to the public interest or the legitimate interests under Section 24 (4) or (5) of the PDPA, unless MSIG can prove that there are significant legitimate grounds or is intended to establish a legal claim, compliance or the exercise of legal claims or raising the defense of legal claims.
- Processing of personal data for direct marketing purposes.
- Processing of personal data for the purposes of scientific, historical, or statistical research, unless it is necessary for MSIG's public interest.
• Request to delete or destroy or anonymize the personal data collected by MSIG in accordance with the criteria required by the PDPA.
• Request to restrict the processing of personal data in accordance with the criteria required by the PDPA.
• Request to correct any personal data of the Data Subject to be accurate, current, complete and not misleading. If MSIG is unable to do so, the Data Subject has the right to request to record such request and the reasons in accordance with the criteria required by the PDPA.
MSIG reserves the right to consider the request to exercise the rights of the Data Subject as appropriate and in accordance with the criteria required by laws, however, the Data Subject may need to bear the reasonable costs for the requests.
In addition to the rights of the Data Subject as stated above, the Data Subject also has the right to lodge a complaint regarding breach or non-compliance of Personal Data Protection Law to the PDPC in accordance with the criteria required by the PDPA.
11. Privacy Policy Update
MSIG will review and update the Privacy Policy to ensure that the personal data is protected under the PDPA, laws and regulations relating to the protection of personal data. MSIG will announce the latest Privacy Policy on MSIG's website at https://www.msig-thai.com/en/privacy-policy.
12. MSIG's Data Protection Officer (DPO) Contact
For any enquiry about this Privacy Policy, please contact MSIG's Data Protection Officer as follows:
• Email: dpo@th.msig-asia.com
• Postal mail :
MSIG’s Data Protection Officer (MSIG’s DPO)
MSIG Insurance (Thailand) Public Company Limited, 15th Floor,
1908 MSIG Building, New Phetchaburi Road, Bang Kapi, Huai Khwang, Bangkok 10310
If the Data Subject wishes to exercise the rights of the Data Subject under this Privacy Policy, please download, and fill in the form “Requesting the Exercise of Data subject’s Right”, posted on MSIG’s website and submit it to MSIG's DPO.
This Privacy Policy was updated and announced on 1st March 2024.