Introduction
On 20 April 2026, the Office of Insurance Commission (“OIC“) issued two notifications on guidelines on personal data protection for Life and Non-Life Insurance Businesses[1] (“Updated Guidelines“) which were officially published in the Royal Gazette and took effect from the date of their publication.
The Updated Guidelines amend and supplement the existing OIC notifications to further align insurance sector practices with Thailand’s Personal Data Protection Act, B.E. 2562 (2019) (“PDPA“) and international standards.
Scope of Enforcement
The Updated Guidelines apply to companies operating life and non-life insurance business, under Thai laws on life and non-life insurance, with respect to the collection, storage, and protection of customers’ personal data in compliance with the PDPA and relevant laws.
Key Highlights
- Requirement of Consent for Processing of Sensitive Personal Data for Underwriting and Claims Purposes
The Updated Guidelines amend the legal basis for the insurance company’s processing of sensitive personal data for underwriting and claims purposes, shifting from legal compliance to achieve the substantial public interest purpose(s) under section 26(5)(e) of the PDPA to a consent-based legal ground.
In this regard, the insurance company is required to obtain the consent of customers, their family members, and other relevant persons for collection, use, or disclosure of their sensitive personal data for the purposes of underwriting, reinsurance, premium calculation, policy acceptance or rejection, and claims settlement. There are limited grounds on which the insurance company could rely upon other legal bases and not obtain consent from customers; however, further legal advice should be sought before doing so.
- Requirement of Consent for Requesting Disclosure of Insurance Data from the OIC
The Updated Guidelines require the insurance company to obtain the customer’s consent on a per‑policy basis when requesting the OIC to disclose the customer’s insurance data (whether general personal data and/or sensitive personal data) for the purposes of underwriting consideration, claims settlement, or the provision of services related to the insurance policy.
- Reinforcement of Data Protection
The Updated Guidelines reaffirm that the insurance company may collect, use, or disclose customers’ personal data and sensitive personal data for other purposes, provided that valid consent has been obtained and the insurance company complies with the PDPA and other applicable laws. They also emphasise that the insurance company remains liable for any personal data breach or violation.
Key Takeaway for the Insurance Business Sector
The Updated Guidelines impose stricter requirements on both life and non-life insurance companies, particularly by strengthening consent obligations for processing sensitive personal data and requiring per-policy consent for the OIC data disclosures.
In addition to complying with the Updated Guidelines, insurance companies should ensure their compliance with the PDPA and other applicable laws to mitigate potential sanctions since the non-compliance may expose the insurance company to legal liabilities and regulatory risks, including suspension or revocation of agent or broker licenses.
Accordingly, insurance companies should review and update their data processing practices, consent mechanisms, and internal processes and documentation, including the privacy notice, to align with these heightened standards and the applicable laws.
Particular attention should be paid to ensuring transparency, proportionality, and robust protection of customers’ insurance data, either general or sensitive personal data, throughout the insurance lifecycle as they remain fully liable for any personal data breaches or violations. Also, insurance companies should closely monitor regulatory developments to stay informed of when the OIC issues the guideline on the consent wording.
If you have any queries on the above, please reach out to our team set out on this page.
For regional data protection- and insurance-related matters, please see Rajah & Tann Asia’s Regional Technology, Media & Telecommunication and Regional Insurance & Reinsurance for more information.
Contribution Note
This Legal Update is contributed by the listed Contact Partners, with the assistance of Senior Associate Itthiwut Saengratanadej and Associate Nathathida Puthiburanawat.
Please feel free to also contact Knowledge Management at [email protected].
__________________________________________________________
[1] Notification of Office of Insurance Commission re: Guidelines for Customer Personal Data Protection for Life Insurance Businesses (No. 2), B.E. 2568 (2025) and Notification of Office of Insurance Commission re: Guidelines for Customer Personal Data Protection for Non-Life Insurance Businesses (No. 2), B.E. 2568 (2025)
Disclaimer
Rajah & Tann Asia is a network of member firms with local legal practices in Cambodia, Indonesia, Lao PDR, Malaysia, Myanmar, the Philippines, Singapore, Thailand and Vietnam. Our Asian network also includes our regional office in China as well as regional desks focused on Brunei, Japan and South Asia. Member firms are independently constituted and regulated in accordance with relevant local requirements.
The contents of this publication are owned by Rajah & Tann Asia together with each of its member firms and are subject to all relevant protection (including but not limited to copyright protection) under the laws of each of the countries where the member firm operates and, through international treaties, other countries. No part of this publication may be reproduced, licensed, sold, published, transmitted, modified, adapted, publicly displayed, broadcast (including storage in any medium by electronic means whether or not transiently for any purpose save as permitted herein) without the prior written permission of Rajah & Tann Asia or its respective member firms.
Please note also that whilst the information in this publication is correct to the best of our knowledge and belief at the time of writing, it is only intended to provide a general guide to the subject matter and should not be treated as legal advice or a substitute for specific professional advice for any particular course of action as such information may not suit your specific business and operational requirements. You should seek legal advice for your specific situation. In addition, the information in this publication does not create any relationship, whether legally binding or otherwise. Rajah & Tann Asia and its member firms do not accept, and fully disclaim, responsibility for any loss or damage which may result from accessing or relying on the information in this publication.
