Good Corporate Governance

Personal Data Protection Policy
Bangkok Life Assurance Public Company Limited


Bangkok Life Assurance Public Company Limited and its subsidiaries (“The Company”) realize the importance of personal data and privacy of data subject. In the rapid changing environment on technology and transition to digital economy, the Company dedicates and places importance on personal data protection and prevention of personal data breach, which are under the Company’s governance. The Board of directors considered issuing this policy.


The purposes of this policy are for governing, protecting, and maintaining security of personal data; and for supporting the Company’s strategies on managing personal data to create favorable outcome for the business; by specifying principles on handling personal data, under the Company’s supervision, which consist of collection, recording, usage, and disclosure of personal data; including prevention and remedy for damages regarding breach of privacy of data subject; as per personal data protection laws and international standards.


This policy applies to the Company’s personnels and those related to the Company, including but not limited to life insurance agents, financial advisors, brokers, partners, external service providers, etc. Those individuals must study and strictly follow this policy. Any violation is subject to punishment according to the Company’s policy and /or law punishment, including termination of business relationship.


“Personal Data” is defined as data related to an individual that can identify such individual, whether directly or indirectly. Personal data is classified into two types; general personal data and sensitive personal data.

“Data subject” is defined as an individual whom personal data can identify such individual’s identity, such as customers, employees, directors, life insurance agents, financial advisors, etc.

“Personal Data Protection Laws” is defined as Personal Data Protection Act B.E. 2562, and legislations issued under such act; including other enforcement laws related to personal data protection.

“Breach of Personal Data” is defined as violation of security measures that leads to destruction, loss, access, usage, change, modification, or disclosure of personal data without authorization or illegally.

Policy Requirement

  1. Personal Data Protection Principles

    The Company collects, records, uses, and discloses personal data in accordance with “Personal Data Protection Principles” under personal data protection laws, which are in line with international standards. In case of no specification under personal data protection laws or this policy, the Company will process personal data as per principles as follows;

    1. The Company honestly, transparently, and verifiably collects, records, uses, and discloses personal data under purposes that it can proceed legally. (Lawfulness Fairness and Transparency)
    2. The Company processes personal data under specified purposes only. The purposes are legal and informed to data subjects before or while the personal data is processed. (Purpose Limitation)
    3. When the Company collects personal data, it collects related personal data as needed to appropriately achieve specified purposes on personal data processing. (Data Minimization)
    4. The Company has appropriate processes for making personal data under its supervision accurate, current, complete, ready to be used, and not misleading. (Accuracy)
    5. The Company’s personal data retention period is in line with its specified purposes and/or legitimate purposes. (Storage Limitation)
    6. The Company has appropriate personal data security measures in organizational, technical, and physical aspects. (Security)
  2. Execution on Protecting Personal Data

    The Company specifies frameworks on personal data management, which cover collection, recording, usage, and disclosure of personal data; assessment of risks and impact on using personal data; usage of data subject’s rights; usage of external service; security measures; and handling of breaches, etc.; taking into account the importance of the data subject’s privacy. The frameworks follow international standards and personal data protection laws.

  3. Training and Raising Awareness

    The Company arranges training and raises awareness, so that its personnels and related persons understand personal data protection principles, the Company’s Personal Data Protection policy, and personal data protection laws.

  4. Monitoring and Evaluation

    The Company governs, monitors, and evaluates performance under this policy appropriately to ensure standard of internal controls and service provided are effective and in line with related regulations and laws.

Policy Revision

The Company reviews the policy at least annually or when a significant change occurs.


Reviewed in accordance with the resolution of the 1/2024 Board of Directors’ Meeting held on February 21, 2024


Please use the contact form below.
We'll get back to you as quickly as possible.