ACE Master Privacy Policy
Data Protection at ACE
At ACE INA Overseas Insurance Company Limited (Thailand) (“ACE”, "we", "us"), we routinely collect and use personal data about individuals, including insured persons, claimants or business partners ("you"). We are aware of our responsibilities to handle your personal data with care, to keep it secure and comply with applicable data protection laws.
How this Policy Works
The purpose of this Policy is to provide a clear explanation of when, why and how we collect and use information relating to you, which enables the identification of you, whether directly or indirectly ("personal data").
Important
Do read this Policy with care. It provides important information about how we use personal data and explains your statutory rights. This Policy is not intended to override the terms of any insurance policy or contract you have with us, nor rights you might have available under applicable data protection laws.
Data Protection Policy
1. Who is responsible for looking after your personal data?
ACE INA Overseas Insurance Company Limited (Thailand) will be principally responsible for looking after your personal data (your Data Controller).
Where your personal data has been passed to another Data Controller (e.g. a reinsurer), the first Data Controller will inform you of the other Data Controllers with whom they have shared your personal data who you can contact about their use of your personal data, as we do in Section 6 of this policy.
You should be aware that although we are principally responsible for looking after your personal data, information may be held in databases which can be accessed by other companies in the Chubb group. When accessing your personal data, Chubb companies will comply with the standards set out in this Policy.
2. What personal data do we collect?
Prospective Insureds and Insured Persons. In order to underwrite and administer insurance policies, we collect information about the prospective insured, policyholder and related parties. This may include information about previous quotes obtained, background and contact information on the prospective insured, policyholder or their representative and matters relevant to the assessment of risk and management of insurance policies. The prospective insured or policyholder may be an individual, company or their representative. The level and type of personal data we collect and use varies depending on the type of policy that is applied for or held and may include information on other individuals who need to be considered as part of the policy. In some instances, it is necessary for us to collect and use Sensitive Personal Data, such as information about health or past criminal convictions. We are required to establish a legal exemption to use your Sensitive Personal Data - see Section 5 for further details.
If you are an insured person, from time to time you may need to provide us with the personal data of third parties, for example an injured third party in relation to a claim under a liability policy. Wherever possible, you should take steps to inform the third party that you need to disclose their details to us, identifying ACE as your insurer. We will process their personal data in accordance
with this Policy.
Claimants. If you are making a claim under a policy, we will collect your basic contact details together with information about the nature of your claim and any previous claims. If you are an insured person we will need to check details of the policy you are insured under and your claims history. Depending on the nature of your claim, it may be necessary for us to collect and use Sensitive Personal Data, such as details of personal injury you may have suffered during an accident.
Business Partners and Visitors. If you are a business partner, we will collect your business contact details. We may also collect information about your professional expertise and experience. We may collect your contact details if you visit our website, register for a newsletter or attend one of our events. If we collect personally identifiable information through our website, we will make it clear when we collect personal information and will explain what we intend to do with it.
For more information on what information we collect, please see Appendix 1.
3. When do we collect your personal data?
Prospective Insureds and Insured Persons
Claimants
Business Partners and Visitors
4. What do we use your personal data for?
Prospective Insureds and Insured Persons. If you are a prospective insured or an insured person we will use your personal data to consider an application for an insurance policy, assess and evaluate risk, and subject to applicable terms and conditions, provide you with a policy. If we have provided you with your policy we will use your personal data to administer your policy, deal with your queries, and manage the renewal process. We will also need to use your personal data for regulatory purposes associated with our legal and regulatory obligations as a provider of insurance.
Claimants. If you are a claimant we will use your personal data to assess the merits of your claim and potentially to pay out a settlement. We may also need to use your personal data to evaluate the risk of potential fraud. If you are also an insured person, we will use personal data related to your claim to inform the renewal process and potentially future policy applications.
Business Partners and Visitors. If you are a business partner we will use your personal data to manage our relationship with you, including sending you marketing materials (where we have appropriate permissions) and to invite you to events. Where relevant, we will use your personal data to deliver or request the delivery of services, and to manage and administer our contract with you or with your employer. If you are a visitor, we will use your personal data; typically, to register for certain areas of our website, enquire for further information, distribute requested reference materials, or invite you to one of our events.
Data analytics. We routinely analyse information in our various systems and databases to help improve the way we run our business, to provide a better service and to enhance the accuracy of our risk and other actuarial models. We take steps to protect privacy by aggregating and where appropriate anonymising data fields before allowing information to be available for analysis.
5. Protecting your privacy
We will make sure that we only use your personal data for the purposes set out in Section 4 and in Appendix 2 where we are satisfied that:
Before collecting and/or using any Sensitive Personal Data we will establish a lawful exemption which will allow us to use that information. If your Sensitive Personal Data is collected on a form (including on a website) or over the telephone, further information about the exemption may be provided on that form. This exemption will typically be:
PLEASE NOTE. If you provide your explicit consent to permit us to process your Sensitive Personal Data, you may withdraw your consent to such processing at any time. However, you should be aware that if you choose to do so we may be unable to continue to provide insurance services to you (and where you withdraw consent to an insurer’s or reinsurer’s use it may not be possible for the insurance cover to continue). This may mean that your policy needs to be cancelled. If you choose to withdraw your consent we will tell you more about the possible consequences, including the effects of cancellation, (which may include that you have difficulties finding cover elsewhere), as well as any fees associated with cancellation.
Please see Appendix 2 to find out more about the information we collect and use about you and why we believe it is appropriate to use that information for such activities.
6. Who do we share your personal data with?
We work with many third parties, to help manage our business and deliver services. These third parties may from time to time need to have access to your personal data.
For Prospective Insureds and Insured Persons these third parties may include:
For Claimants this may include:
We may be under legal or regulatory obligations to share your personal data with courts, regulators, law enforcement or in certain cases other insurers. If we were to sell part of our businesses we would need to transfer your personal data to the purchaser of such businesses.
Assistance Providers: these are a special category of service provider which we use to help provide you with emergency or other assistance in connection with certain policies (e.g. certain travel policies).
Brokers: insurance brokers arrange and negotiate insurance coverage of individuals or companies and deal directly with insurers, such as ACE.
Claims Experts: these are experts in a particular field which is relevant to a claim, for example medicine, forensic accountancy, mediation or rehabilitation, who are engaged by ACE to help us properly assess the merit and value of a claim, provide advice on its settlement, and advise on the proper treatment of claimants.
Data Controller: means a natural or juristic person (such as a company) which has the power and duty to make decisions regarding the collection, use or disclosure of personal data. For example, a ACE entity which sells you an insurance policy will be your Data Controller as it determines how it will collect personal data from you, the scope of data which will be collected, and the purposes for which it will be used.
OIC: the OIC is the Office of Insurance Commission, which is an insurance regulatory body. Personal Data Protection Committee: the Personal Data Protection Committee regulates the processing of personal data by all organisations within Thailand.
Prospective Insured and Insured Person: we use this term to refer to prospective, active or former individual policyholders, as well as any individual who benefits from insurance coverage under one of our policies (for example, where an employee benefits from coverage taken out by their employer).
Loss Adjuster: these are an independent claims specialist which investigates complex or contentious claims on our behalf.
Other Insurers / Reinsurers: some policies are insured on a joint or "syndicate" basis. This means that a group of insurers (including us) will join together to write a policy. Policies may also be reinsured, which means that the insurer will purchase its own insurance, from a reinsurer, to cover some of the risk the insurer has underwritten in your policy. ACE purchases reinsurance, and also acts as a reinsurer to other insurance firms. |
Sensitive Personal Data: means any personal data relating to your health, disability, genetic or biometric data, criminal records, sexual behaviour, racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership. At ACE, (other than in the context of our employees, which is outside the scope of this Policy) we routinely only process Sensitive Personal Data relating to health or criminal records.
Service Providers: these are a range of third parties to whom we outsource certain functions of our business. For example, we have service providers who help us manage our IT and back office systems. Some of these providers use 'cloud based' IT applications or systems, which means that your personal data will be hosted on their servers, but under our control and direction. We require all our service providers to respect the confidentiality and security of personal data.
Lawyers: we frequently use lawyers to advise on complex or contentious claims or to provide us with non-claims related legal advice. In addition, if you are a claimant you may be represented by your own lawyer(s). |
Third Party Administrators (or TPAs): these are companies outside the Chubb group which administer the underwriting of policies, the handling of claims, or both, on our behalf. We require all TPAs to ensure that your personal data is handled lawfully, and in accordance with this Policy and our instructions. |
7. Direct Marketing
We may use your personal data to send you direct marketing communications about our insurance products or our related services. This may be in the form of email, post, SMS, telephone or targeted online advertisements.
In most cases our processing of your personal data for marketing purposes is based on our legitimate interests to provide information you might find helpful to manage your insured risks, insurance renewals and other products, services and offers that may be of interest to you, although in some cases (such as where required by law) it may be based on your consent. You have a right to prevent direct marketing of any form at any time - this can be exercised by following the opt-out links in electronic communications or by contacting us using the details set out in Section 11.
We take steps to limit direct marketing to a reasonable and proportionate level and to send you communications which we believe may be of interest or relevance to you, based on the information we have about you.
8. International Transfers
From time to time we may need to share your personal data with members of the Chubb group who may be based outside Thailand. We may also allow our Service Providers or Assistance Providers, who may be located outside Thailand, access to your personal data. We may also make other disclosures of your personal data overseas, for example if we receive a legal or regulatory request from a foreign law enforcement body.
We will always take steps to ensure that any international transfer of information is carefully managed to protect your rights and interests:
You have the right to ask us for more information about the safeguards we have put in place as mentioned above. Contact us as set out in Section 11 if you would like further information.
9. How long do we keep your personal data?
We will retain your personal data for as long as is reasonably necessary for the purposes listed in Section 4 of this Policy. In some circumstances we may retain your personal data for longer periods of time, for instance where we are required to do so in accordance with legal, regulator, tax or accounting requirements.
In specific circumstances we may also retain your personal data for longer periods of time so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to your personal data or dealings.
Where your personal data is no longer required we will ensure it is either securely deleted or stored in a way which means it will no longer be used by the business.
10. What are your rights
You have a number of rights in relation to your personal data.
You may request access to your data, correction of any mistakes in your data, erasure of records where no longer required, restriction on the processing of your data, objection to the processing of your data, data portability and various information in relation to the basis for international transfers. You may also exercise a right to complain to the Personal Data Protection Committee. More information about each of these rights can be found by clicking on the relevant link or by referring to the table set out further below.
To exercise your rights you may contact us as set out in Section 11. Please note the following if you do wish to exercise these rights:
Right |
What this means |
Access |
You can ask us to:
We may not have to comply with a request where it is permitted by law or pursuant to a court order, and such access would adversely affect the rights and freedoms of other persons. |
Rectification |
You can ask us to rectify inaccurate personal data. We may seek to verify the accuracy of the data before rectifying it. |
Erasure |
You can ask us to erase your personal data, but only where:
We are not required to comply with your request to erase your personal data if the processing of your personal data is necessary:
There are certain other circumstances in which we are not required to comply with your erasure request, although these two are the most likely circumstances in which we would deny that request. |
Restriction |
You can ask us to restrict (i.e. keep but not use) your personal data, but only where:
We can continue to use your personal data following a request for restriction, where:
|
Portability |
You can ask us to provide your personal data to you in a structured, commonly used, machine-readable format, or you can ask to have it 'ported' directly to another Data Controller, but in each case only where:
|
Objection |
You can object to any processing of your personal data which has our 'legitimate interests' as its legal basis, if you believe your fundamental rights and freedoms outweigh our legitimate interests. |
Personal Data Protection Committee |
You have a right to lodge a complaint with the Personal Data Protection Committee about our processing of your personal data. |
Identity |
|
Timescales |
|
11. Contact and complaints
The primary point of contact for all issues arising from this Policy, including requests to exercise data subject rights, is our Data Protection Officer.
The Data Protection Officer can be contacted in the following ways:
Email:
dpo.th@chubb.com
Write to:
Data Protection Officer,
ACE INA Overseas Insurance Company Limited (Thailand), 399 Interchange 21 Building Level 30, Sukhumvit Road Klongtoey Nua, Wattana, Bangkok 10110
If you have a complaint or concern about how we use your personal data, please contact us in the first instance and we will attempt to resolve the issue as soon as possible. You also have a right to lodge a complaint with the Personal Data Protection Committee at any time.
Updated April 2020
Appendix 1 – Categories of Personal Data
Information type
|
Details of information that we typically capture |
Prospective Insureds and Insured Persons
|
|
Contact Details
|
Name, address, telephone number, email address |
Identification Information
|
Identity card number, passport number, work permit number |
Policy Information |
Policy number, relationship to the policyholder, details of policy including insured amount, exceptions etc, previous claims
|
Personal Risk Information |
Gender, date of birth, claims history.
Vehicle registration number
Professional history or CV
Publicly available information
Schedule of possessions, property construction, physical condition, security, fire protection and value
Travel information
Sensitive Data
Health data – eg physical and mental conditions, medical history and procedures, relevant personal habits
|
Financial Information |
Bank account details (where you are the payer of the policy premium) or credit card data used for billing
|
Marketing |
Name, email address, interests / marketing list assignments, record of permissions or marketing objections, website data (including online account details, IP address and browser generated information)
|
Claimant
|
|
Contact Details
|
Name, address, telephone number, email address |
Identification Information
|
Identity card number, passport number, work permit number |
Financial |
Bank account details used for payment
|
Anti-fraud Data |
Address, history of fraudulent claims, details of incident giving rise to claim
|
Business Partners and Visitors
|
|
Contact Details
|
Name, work address, work email, work telephone numbers, job title |
Marketing |
Name, job title, email address, interests / marketing list assignments, record of permissions or marketing objections, website data (including online account details, IP address and browser generated information)
|
Office Visitor |
Name, job title, email address, telephone number, CCTV images, dietary preferences (for events), disability data (voluntarily provided)
|
Appendix 2 – Legal Basis for Processing
Activity
|
Type of information collected
|
The basis on which we use the information |
Who we may disclose the information to |
Prospective Insureds and Insured Persons
|
|||
Set up a record on our systems
|
|
|
|
Carry out background, sanction and fraud checks |
|
|
|
Consider the underwriting submission, assess risk and write policy
|
|
|
|
Manage renewals
|
|
|
|
Provide client care, assistance and support |
|
|
|
Receive premiums and payments |
|
|
|
Marketing
|
|
|
|
Comply with legal and regulatory obligations
|
|
|
|
Claimant
|
|||
Receive notification of claim |
|
|
|
Assess claim |
|
|
|
Monitor and detect fraud |
|
|
|
Settle claim
|
|
|
|
Comply with legal and regulatory obligations
|
|
|
|
Business Partners and Visitors
|
|||
Manage relationships |
|
|
|
Administer contracts
|
|
|
|
Marketing
|
|
|
|
Run events and host office visitors; accommodate website visitors
|
|
|
|
Applicable to all
|
|||
Transfer of books of business
|
|
|
|
Sale or reorganization of a ACE company
|
|
|
|
Recording of telephone calls
|
|
|
|