The Personal Data Protection Act 2019 (PDPA) is a statute that regulates the privacy of individuals in Thailand. The PDPA is the very first consolidated law governing data protection in general in Thailand. The PDPA takes effect from 27 May 2020, and this statement explains how McLarens holds personal data in Thailand, what we do with it and who we might send it to.
This statement covers McLarens Thailand.
We value the privacy of your personal information.
This McLarens Privacy Statement outlines how we collect, hold, use and disclose your personal information. By visiting our website, using any of our services, or providing us with your personal information, you agree to your personal information being collected, held, used and disclosed as set out in this Privacy Statement. We also rely on the consent you gave our clients when they collected your personal data.
The Purposes for Which We Hold, Use and Disclose Personal Information
We collect personal information to assist our clients in investigating, assessing and settling insurance and other claims (e.g. when we act for an insurer, this will involve us collecting personal information from insureds, claimants and other third parties involved in the claim, as well as checking the validity of such information). We obtain this information from our insurer clients under a data processing agreement.
We hold limited personal data which we use to inform our clients employees about corporate events and services that we provide. No such communication will be sent to those who withdraw their consent.
We also use the personal information that we hold, to contact you, to notify you about changes to our service, to verify your identity, and to provide customer support.
We provide the personal information we collect to our insurer clients, their agents and advisers such as lawyers. This is to assist the insurer or their agent to manage and administer their relationship with the insured, and to decide or advise on payment of a claim. We also provide personal information to other third parties who can confirm the information provided to us (e.g. repairers, witnesses to a claim or law enforcement agencies) or to assist us in providing our insurance claims services (e.g. our investigators and other agents and contractors). We may also disclose some data to other companies in the McLarens group of companies. We are permitted to transfer personal data out of Thailand, but we have to ensure that the company receiving the personal data has proper security – which all McLarens companies have.
We may also hold and use your personal information, and disclose your personal information to relevant third parties for the following purposes:
- To deal with enquiries – we may need to collect your personal information to answer an enquiry you make;
- Dealing with a complaint – for example a complaint made by you in respect of service provision;
- Maintaining and improving our service, auditing, quality assurance and training – for example, we may review your personal information to identify how our services can be improved;
- Assisting with the claims process by providing your name address and phone numbers to contractors
- Other purposes – for any other purpose communicated to you at the time we collect your personal information or as required or permitted by law.
Occasionally we may be required or authorised to collect personal information because of laws in Thailand or an order of a Court / Tribunal. If we are collecting personal information for this purpose, and we are permitted to do so, we will tell you.
The categories of personal data we process when handling claims are determined by the data controllers we are acting for and based on their instructions to us.
Personal Information We Collect and Hold
The personal information we collect and / or hold about you and other individuals (such as a co-insured or your spouse, partner or children) may include:
- Name, date of birth and gender of you, your colleagues/employees and/or family members,
contact details such as address, phone, fax and email of said persons
- Bank account details
- Medical data
- Information relevant to providing a service such as:
- Your claims history;
- Information obtained as part of the management and processing of a claim (e.g. information on a police report);
- Details of insurance policies you hold or have held; and sensitive information such as criminal records (e.g. where this information is relevant to processing a claim)
What Happens if You Don’t Give Us Your Personal Information
If you don’t provide us with the required personal information, we and our clients may not be able to provide you with some or all services (e.g. we may not be able to access or assess your claim). Where we collect personal information from you, we expect you to tell us if you do not consent to us disclosing the personal information you provide to us to the types of third parties referred to above.
How We Collect and Hold Personal Information
How we collect:
We may collect personal information about you and other individuals in various ways including:
- Over the phone, including telephone recordings
- Audio/visual recordings, including CCTV
- In person
- When we interview witnesses or other third parties
- When attending site meetings in the notes of those meetings
- In writing, including via email and hard copy forms
- Social media or other on-line sources where data is in the public domain
From whom we may collect:
We may collect such information directly from you or through a variety of third parties such as repairers, suppliers, consultants, and the police. We may also collect personal information from publicly available sources such as the phone book or public websites.
When we collect personal information from you about someone else:
We may seek to collect from your personal information about another person. This may happen if you have personal information about another person which is relevant to a claim. For example, you may have the details of a witness to an incident for which you are claiming under your insurance policy. If you provide us with information about another person, then you must:
- Have their consent to do so
- Tell them that you are disclosing their personal information to us
- Refer them to this Privacy Statement.
Holding personal information:
We hold personal information electronically and on paper / in hard copy.
For the personal information we hold electronically we take reasonable security measures including firewalls, secure logon processes, encryption and intrusion monitoring technologies.
For the information we hold in hard copy / on paper we have in place reasonable confidentiality procedures and we also take reasonable security measures. We also require third party providers to hold personal information securely.
Your information will be held for at least seven years for legal, regulatory and accounting purposes and thereafter for as long as reasonably necessary or as we are contractually required to do so.
You have the right to withdraw consent for us to process your information at any time.
You have the right to withdraw consent for us to pass your information to third parties that we have outlined in this policy.
However, withdrawing consent may result in us ceasing to handle the claim or environmental claim in question and may prejudice those services for which we are instructed by your Insurers or other parties to perform.
Accessing your information:
You can make a written request to access the personal information we hold about you. If we aren’t able to meet your request for access, we’ll let you know why.
You have the rights to the following information: –
- The purpose(s) for which we are processing your information.
- The categories of personal information we hold about you
- The recipients or categories of recipient to whom the personal data have been or will be disclosed.
- The period for which we will store your information; or the criteria used to determine that period.
To rectification or restriction of the way in which we are processing your information; or to object to us processing it.
To erasure of your personal information provided it is no longer necessary for the purposes for which it was collected; or where there is no legal basis for us processing it.
Where we have collected information about you from sources other than yourself, information about those sources.
To ask us whether any decisions are being taken about you by automated means and if this is happening; information about the logic involved and any significant consequences on you.
To ask us about the appropriate safeguards we take if we transfer your information to a third country or international organisation.
You can exercise any of these rights at any time by writing to the Data Protection Officer Liz Tubb at firstname.lastname@example.org
Keeping your information accurate:
We take reasonable steps to ensure that the personal information we collect and store, use or disclose is accurate, up-to-date and complete. However, we rely on you to advise us of any changes to your information to help us do so. If you believe your personal information is not accurate, up-to-date or complete, then please let us know. If you’d like to request access to or seek correction of your personal information, please contact us. Our contact details are at the end of this Privacy Statement.
Complaints about how we handle your personal information:
If you have a complaint about our handling of your personal information or an alleged breach of the principles contained in the PDPA 2019 please contact us and provide us with the details of your complaint / the alleged breach as well as any supporting evidence. You can contact us via the below options:
Data Protection Officer
Refer to the website – www.mclarens.com to obtain contact details.
We will promptly acknowledge the complaint, carefully investigate it and determine the steps that we will undertake to resolve your complaint. We will contact you if we require any further information and will provide you with our determination once it is made.
If you wish to take the matter further, you will be able to contact the Personal Data Protection Committee once this has been established.