Bolttech (Thailand) Company Limited (‘bolttech’, ‘we’, ‘us’ or ‘our’) cares about your privacy and is fully committed to protect the privacy of your personal data.
2. What personal data we collect from you
Your personal data means any information relating to you that can identify you, whether directly or indirectly, from that data alone or in a combination with other identifiers we possess or can reasonably access, except information about the deceased. The types of personal data we collect will depend on the scope of services and/or type of products that you are interested in and we provide to you.
Depending on the type of products or services you select or your relationship with us, bolttech may collect and hold the following personal data:
• Details about you, such as name, surname, gender, date of birth, educational background, occupation, marital status and nationality • Contact details, such as your name, home address, email address, phone number and social media accounts • Identification and authentication details, such as identification card number, passport number, driving license number, photo and CCTV footage • Financial details, such as your payments, credit card numbers and bank account details • Results of any credit or background checks we have made on you • Insurance claim information, where this is relevant • Your employment information and salary • The names and addresses of your dependents or beneficiaries • Information about how you use our website, apps or other technology, including IP addresses and device information • Other information that you give us
In addition, we may also collect and hold your sensitive data such as:
• Health or medical information • Racial or ethnic origin • Sexual preferences or practices • Membership of political, professional or trade associations • Criminal records • Religious or philosophical beliefs • Genetic data; and • Biometric data.
If you do not or are unable or decline to provide certain personal data or consent us to collect, use, and disclose certain personal data which is necessary for us to make a relationship with you or provide our services and/or products to you, we may not be able to stay in contact with you, enter into a contract with you or perform our obligations resulting from a contract entered with you.
3. Why and how we collect, use and disclose your personal data
We only collect, use, disclose or process your personal data by fair and lawful means to the extent necessary for the specific purposes. We have also set out some lawful reasons why we may process your personal data. These depend on what kind of personal data we are processing.
We normally process personal data it is required or allowed by any law that applies (legal compliance), to provide the services/products set out in a contract (contracts), if it is necessary to prevent danger to a person’s life, body and health (vital interests), if it is in our legitimate interests (legitimate interest) or we have your permission (consent).
For more information about this and the reasons we may need to process your personal data, please see below.
- Legal compliance
We will rely on the purpose of legal compliance in which the processing of your personal data is necessary for compliance with a legal obligation to which we are subject.
We will rely on the purpose of contracts in which the processing of your personal data is necessary for the performance of a contract to which you are a party or in order to take steps at your request before entering into a contract.
We will process your personal data in accordance with the agreement between you and us, and for the following reasons:
a. Providing services and products to you, and administering, implementing, maintaining, managing and operating such services and products, including but not limited to insurance, financial and other products
b. Processing, assessing, and determining any applications or requests made by you in connection with our services or products, issuing or arranging insurance contracts and maintaining your account with us;
c. Creating and maintaining bolttech’s credit and risk related models;
d. Processing and implementing payment instructions;
e. Determining any amount of indebtedness owed to or by you and collecting and recovering any amount due from you or any person who has provided any security or undertaking for your liabilities;
f. Exercising any rights that we may have in connection with the services and/or products provided to you; and
g. Any purposes in connection with any claims made by or against or otherwise involving you in respect of any services and/or products provided by us, including but not limited to making, defending, analysing, investigating, processing, assessing, determining, responding to, resolving or settling such claims.
- Vital interests
We will rely on the purpose of vital interests where the processing of your personal data is necessary to prevent or avoid danger to a person’s life, body or health.
- Legitimate interests
We may rely on the purpose of legitimate interests pursued by us or by a third party which require us to process your personal data, except where the interests are overridden by your interests or fundamental rights and freedoms. Considering your interests, rights and freedoms, legitimate interests which allow us to process your personal data include:
a. Complying with obligations, policies or procedures for sharing data and information within bolttech and/or other use of data and information in accordance with bolttech programmes to comply with sanctions or to prevent or detect money laundering, terrorist financing, fraud or other crimes and unlawful activities.;
b. Meeting any present or future contractual or other commitment with any legal, regulatory, governmental, tax, law enforcement or other authorities, and self-regulatory or industry bodies such as federations or associations of insurers in Thailand or any other jurisdictions; and
c. Ensure security and business continuity.
Apart from the above lawful bases, we may process your personal data with your consent. We will only ask for your consent if there is no other lawful basis to process your personal data, especially, in the case where our processing activities have potential impact on your sensitive personal data. If we need to ask for your consent, we will make it clear what we are asking for and ask you to confirm your choice to give us that consent. If we cannot provide a product and/or service without your consent to process your personal data, we will make this clear when we ask for your consent.
We may request your consent to process your personal data for the following purposes.
a. Designing insurance and other financial products for customers;
b. Performing policy review and needs analysis (whether or not on a regular basis)
c. Operating, maintaining and providing subsequent services in relation to the applications for services and/or products;
d. Verifying and conducting any eligibility, credit, physical, medical, security, underwriting and/or identity checks for the provision of services or products;
e. Identifying and providing you with information about services or products that may benefit you or may be of interest to you;
f. Analysing and conducting data analytics, surveys and feedbacks to develop, build and implement our business models, products, services and systems which help us to provide high standard services or enhance the benefits to you
g. Marketing services and products to you; and
h. Meeting disclosure obligations imposed by laws, rules, regulations, codes of practice or guidelines (applicable in or outside Thailand) that are binding on bolttech or its subsidiaries, holding companies, partners, associated or affiliated companies, or companies controlled by, or under common control of bolttech, including but not limited to, making disclosure to legal, regulatory, governmental, tax, law enforcement or other authorities, and self-regulatory or industry bodies;
Note that when the data subject is classified as a minor, quasi-incompetent or incompetent, consent will be requested from their legal representatives, guardians or curators.
4. Informing you of your personal data collection
We will always notify you, before or at the time of collecting your personal data, about our purpose for processing. However, in some circumstances, it is not necessary for us to inform you about our processing of your personal data, such as when:
- you are aware of such new purposes or details of our processing;
- we believe that notice of such new purposes or the details of our processing is impossible or will obstruct the use or disclosure of your personal data, where we have taken suitable measures to protect your rights, freedoms and interests;
- it is urgent to use or disclose your personal data as required by law and we have implemented suitable measures to protect your interests; or
- we are aware of or acquire your personal data from our duty, occupation or profession, and we have maintained such new purposes with confidentiality as required by law.
5. How we collect your personal data
We collect your personal data in different ways which include in writing, by electronic or hard copy form, by telephone, email, in person, and over the internet such as via our website, cookies, online forms or social media.
We may collect your personal data directly from you. For example, you provide us with your personal data when you fill in an application form, deal with us over the telephone, send us a letter or use our website.
We may also collect your personal data indirectly from publicly available sources of information and/or from other parties including:
• your intermediary or professional adviser(s) • other insurers, reinsurers or distribution partners • our service providers and business partners • organisations that we have an arrangement with to jointly offer products • our related entities • third parties who, at the time of collection, have notified you that your information will be provided to us • government, statutory or regulatory body and law enforcement bodies • other third parties; and • anyone that you have authorised to deal with us.
If you provide personal data about another individual to us, you agree to:
6. How we share your personal data
Your personal data may be transferred or disclosed to, accessed by or shared on a need to know basis with the following parties and for the following purposes.
- Group members or business partners:
a. members of bolttech in order to provide our products and services to you; b. any business partners of bolttech that we have an agreement with c. any person or company carrying on insurance-related and/or reinsurance-related business which is engaged by bolttech in connection with bolttech's business
- Agents or contractors
a. any person or company which is acting for or on behalf of bolttech, or jointly with bolttech, in respect of a purpose or a directly related purpose for which your personal data was provided; b. any agents, contractors or service providers who provide administrative, credit reference, debt collection, telecommunications, computer, payment, printing, redemption or other services in relation to the operation of businesses of bolttech;
a. any physicians, hospitals, clinics, medical practitioners, laboratories, technicians, loss adjustors, risk intelligence providers, claim investigation companies, administrators or other professional advisors who are engaged by bolttech in connection with bolttech's business;
a. any person or company to whom bolttech is obliged or expected to make disclosure under the requirements of laws, rules, regulations, codes of practice or guidelines (applicable in or outside Thailand) including any legal, regulatory, governmental, tax, law enforcement or other authorities, self-regulatory or industry bodies.
7. Transfer outside Thailand
These exceptions are:
- if the transfer is necessary for compliance with the law;
- if you have explicitly consented to the proposed transfer after having been informed of the possible risks due to the absence of an adequacy decision or adequate safeguards;
- if the transfer is necessary for the performance of a contract with you or the implementation of pre-contractual measures taken at your request;
- if the transfer is necessary for the conclusion or performance of a contract in your interest between bolttech and another natural or legal person;
- if the transfer is necessary to protect vital interests of you or other persons, where you are physically or legally incapable of giving consent; and
- if the transfer is necessary for important reasons of public interest.
8. Your rights
You have rights to your personal data, and according to the PDPA these rights include:
- Right to access You have a right to access and obtain a copy of your personal data that we hold about you. You may ask us to disclose the sources of where we obtained your personal data to which you have not consented to.
- Right to data portability You have a right to request us to transfer your personal data to other persons/organisations, or request to see the personal data that we have transferred to other persons/organisations, unless it is impossible for us to carry out your request due to technical circumstances.
- Right to object to the processing of your personal data You have the right to object to the processing of your personal data, unless there are circumstances that do not allow you to make the objection. These may include cases where we have compelling legitimate grounds or when the processing of your personal data is carried out to comply, exercise or defend legal claims or for the public interest.
- Right to erasure You have a right to request us to delete, destroy or anonymise your personal data in the following circumstances: a) The personal data is no longer necessary for the purpose for which it was collected, used or disclosed; b) You have withdrawn your consent on which the collection, use or disclosure was based and we no longer have legal grounds to collect, use or disclose the personal data; c) You have objected to the collection, use or disclosure of the personal data and we do not have legal grounds to reject the request; and/or d) When the personal data has been lawfully collected, used or disclosed under the PDPA.
- Right to restrict the processing of your information You have a right to request us to restrict the processing of your personal data in the following circumstances: a) It is under a pending examination process to check if the personal data is accurate, up-to-date, complete and not misleading; b) The personal data should be deleted or destroyed as it does not comply with the law and you request to restrict it instead; c) The personal data is no longer necessary for the purpose for which it was collected, used or disclosed, but you have the necessity to request the retention for purposes of establishing, complying, exercising or defending legal claims; d) We are pending verification of a basis to reject the objection request for the collection, use or disclosure of personal data.
- Right to rectification You have a right to rectify inaccurate personal data in order to make it accurate, up-to-date, complete and not misleading. If we reject your request, we will record the rejection with reasons.
- Right to lodge a complaint You have the right to make a complaint in the case where we, our data processors, employees or contractors do not comply with the PDPA or other announcements under the PDPA.
- Right to withdraw consent You may withdraw your consent at any time, unless we have a lawful basis to deny your request.
If you change your mind about how you would like us to have or process your personal data, you can tell us anytime by following our withdrawal process.
9. Exercising your rights
In order to exercise your rights stated above, you may refer to our contact’s details under “How to contact us” stated herein below. If you make a request, we will ask you to confirm your identity (if necessary), and to provide information that helps us to understand your request better. We expect to respond to your request within 30 days of the receipt of your request.
We have full rights and sole discretion to either fulfil or decline your request or charge a reasonable fee to fulfil your request in the case where you have made more than 3 consecutive requests within 10 working days, or in the event that the requests are obviously excessive or unfounded. We are entitled to refuse your request on statutory grounds and we will notify you of the refusal and our grounds.
If you have any questions or would like to exercise any rights relating to your personal data, please contact us via the provided details in the ‘How to contact us’ section.
10. How long we keep your personal data
The period we keep your personal data is often linked to the prescription and enforcement periods under law. We will not keep your personal data longer than is necessary for the purposes for which that personal data was collected, held and processed, except when the retention period is determined by other laws and regulations, which in many cases is up to 10 years after the end of our relationship with you.
After this time, we will only keep your personal data if we must do so to comply with a legal obligation, or if existing claims or complaints reasonably require us to keep your personal data, or for regulatory or technical reasons. If we do need to keep your personal data for a longer period, we will continue to protect that personal data.
We will delete, destroy, permanently anonymise, or otherwise dispose of all personal data at the end of the retention period, or when we must comply with your request for erasure of your personal data.
If you have any questions, please contact us at the provided details in the ‘How to contact us’ section.
11. Marketing and preference
As part of our products and/or service, we may use your personal data to identify a product or service that may benefit you. We may contact you occasionally to let you know about new or existing products or services.
We may also disclose your personal data to our related entities or business partners to enable them to tell you about a product or service. The marketing delivery channels may be through electronic means, email, telephone, text and other forms of communication.
For direct marketing, bolttech intends:
- to use your name, contact details, service and product portfolio information, financial background and demographic data held by bolttech in direct marketing;
- to market the following classes of services and products offered by bolttech, other members of bolttech, affiliates and/or our partners: a. insurance services and products; b. financial services and products; c. device protection services and products; d. selling, cross selling or upselling of services and products; e. reward, promotion, campaign, loyalty or privilege programs and related services and products; and f. donations and contributions for charitable and/or non-profit making purposes.
- to provide your personal data described in 1) above to any members of bolttech and/or our partners for their use in direct marketing the classes of services and products described in 2) above.
If you change your mind about how you would like us to contact you or you no longer wish to receive any of the above information, you can tell us anytime by following our withdrawal process.
12. Ensure security
To keep your personal data safe and secure, we use a range of measures, which include encryption and other forms of security. We require our employees and third parties who carry out work on our behalf to comply with appropriate privacy standards including obligations to protect against the leakage of information and to apply appropriate security measures for the processing of information.
We maintain and update our security procedures and measures to ensure a level of security for the personal data appropriate to the respective risk and the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing, including to prevent loss and unauthorised collection, access, use, modification, correction or disclosure of personal data. Our security measures apply to all types of data processing regardless of whether the personal data is processed electronically or in paper form.
13. Hyperlinks and cookies
bolttech’s website may include hyperlinks to third-party websites. bolttech has no control over the content, accuracy, expressed opinions, and links provided at these third party websites or how these third party websites deal with your personal data. You should visit these third party websites for details of their privacy policies in relation to their handling of your personal data.
bolttech may use ‘cookies’ to improve our internet service. Cookies are small data files that are automatically stored on the web browser in your computer which can be retrieved by bolttech’s website. Cookies enable bolttech’s website to remember you and your preferences when you visit the website and enable us to tailor the website to your needs.
The information collected by cookies is anonymous personalised settings information that contains no name or address information, or any information that will enable anyone to contact you via telephone, e-mail or any other means. No customer personal data is stored in cookies. However, you can disable cookies by changing your web browser settings. Please note that this it may affect how you use our website or online services. It may make it difficult for you to transact with us through our website and we may require time to request additional information.
15. How to contact us
If you have any comments, suggestions, questions, complaints or want to exercise your rights regarding your personal data, please contact:
Name: Data Protection Officer Email address: [email protected]
Third Party Entities
In order to operate our business smoothly, we may disclose your personal data to our FWD Group, affiliated entities and business partners and/or third party entities in Thailand or overseas to enable them to tell you about a product or service and store, maintain and manage your personal data. Please refer to the list of FWD Group, affiliated entities and business partners and/or third party entities here:
- Bolttech Group
- Bolttech Management Limited (Hong Kong)
- Bolt Challenger Go Pte. Ltd. (Singapore)
- Bolt Solutions Inc. (USA)
- FWD Group
- FWD Life Insurance Public Company Limited
- Siam Commercial Life Assurance Public Company Limited
- Megafin Company Limited
- Megafin Insurance Broker Company Limited
- Megafin Life Insurance Broker Company Limited
- Siam Makro Public Company Limited
- Bolttech Insurance Broker (Thailand) Company Limited
- Bolttech Life Insurance Broker (Thailand) Company Limited
- TMB Bank Public Company Limited
- CIMB Thai Bank Public Company Limited
- Siam Commercial Bank Public Company Limited
- SCB Protect Company Limited
- Tesco Lotus Money Services Limited
- Tesco General Insurance Broker Company Limited
- Tesco Life Assurance Broker Company Limited
- Ngern Tid Lor Company Limited
- Thai Samsung Electronics Company Limited
- AMT Solutions (Thailand) Company Limited
- Advanced Info Service Public Company Limited
- Total Access Communication Public Company Limited
- True Corporation Public Company Limited
- LINE Company (Thailand) Limited