On April 11, 2025, Thailand’s Office of Insurance Commission (OIC) released draft principles for two notifications for public comment, open until the end of April. These aim to amend the OIC Notifications on Guidelines for Customer Personal Data Protection for life and non-life insurance businesses, which were issued in 2021.
Key Principles
Both life and non-life insurance companies will be required to obtain consent for the following processing activities:
- Processing of general personal data:
- When requesting the OIC to disclose information related to a customer’s insurance policy for the purpose of underwriting or claims consideration.
- Processing of sensitive personal data:
- When requesting the OIC to disclose information related to a customer’s insurance policy for the purpose of underwriting or claims consideration; and
- When requesting the OIC to disclose information about a customer’s insurance fraud behavior for fraud monitoring, fraud risk management, and assessing and preventing insurance fraud risk for underwriting or claims payment.
The consent for the above processing activities must be in accordance with the consent requirements prescribed by the OIC, and the disclosure of personal data must also comply strictly with the conditions set by the OIC.
Life insurance companies may obtain consent for other purposes as long as they comply with Thailand’s Personal Data Protection Act B.E. 2562 (2019), and companies will be liable in the event of a personal data breach.
Additional Principles for Non-Life Insurance Businesses
Non-life insurance companies will be required to provide a privacy notice and a summary of the privacy notice for each type of insurance policy in accordance with the form prescribed by the OIC. The privacy notice and its summary must be provided prior to or at the time of offering insurance policies, or together with the consent form for data processing through any channels used for offering insurance. The privacy notice and its summary must also be published on the company’s website.
The prescribed privacy notice templates cover different types of insurance policies, including: (1) accident and health insurance; (2) fire, property, miscellaneous, and other types of insurance; and (3) compulsory motor insurance and voluntary motor insurance.
The OIC further prescribes a consent form for the processing of data relating to health, disabilities, sexual orientation, biometric data, genetic data, and race for purposes related to insurance applications, underwriting, or claims settlement, from sources such as other insurers, reinsurers, insurance brokers, authorized agencies, medical facilities, doctors, or insurance agents and brokers.
Compliance Preparation
Insurance companies operating in Thailand should review their existing consent mechanisms and privacy documentation to ensure compliance with these forthcoming requirements once finalized.
