In brief
Thailand’s insurance industry regulator, the Office of Insurance Commission (OIC), has issued two notifications amending the personal data protection guidelines for life and non‑life insurance businesses. The key changes relate to the legal bases that insurers may rely on when processing sensitive personal data for purposes such as underwriting, reinsurance, premium calculation, denial of coverage, or claims handling. While the amendments do not eliminate reliance on the "substantial public interest" basis, they place greater practical emphasis on consent. The changes also raise questions around practical application. Insurance companies should revisit their legal bases for processing and review related legal documents to ensure compliance.
In more detail
Background
On 20 April 2026, the Royal Gazette published the OIC's two notifications amending its personal data protection guidelines for life and non‑life insurance businesses, namely:
- The Notification of OIC regarding Guidelines for the Protection of Customers’ Personal Data for Life Insurance Business (No. 2), B.E. 2568 (2025) (link)
- The Notification of OIC regarding Guidelines for the Protection of Customers’ Personal Data for Non-Life Insurance Business (No. 2), B.E. 2568 (2025) (link)
The notifications amend the previous guidelines, with particular attention to the legal bases that insurance companies may rely on when processing personal data, especially sensitive personal data, under the Personal Data Protection Act B.E. 2562 (2019) (PDPA).
Key updates under the notifications
Revised legal basis for processing sensitive personal data
Under the previous version of the OIC guidelines, insurance companies were expressly permitted to rely on the legal basis of compliance with a law for substantial public interest under Section 26(5)(e) of the PDPA when processing sensitive personal data of customers and related persons for core insurance activities, including underwriting, reinsurance, premium calculation, denial of coverage, and claims handling. In principle, this allowed an insurer to process such data without consent where the processing was necessary to comply with a legal obligation serving a substantial public interest, including the duty under Section 866 of the Civil and Commercial Code to exercise due care in ascertaining facts relating to the insured.
Under the amending notifications, the drafting has been refined to state that insurance companies are required to obtain consent for the processing of sensitive personal data for insurance‑related purposes, unless another legal basis under Section 26 of the PDPA applies such that consent is not required.
Although the notifications expressly leave room for reliance on alternative legal bases under Section 26, they signal a shift away from reliance on the substantial public interest basis and toward consent as the primary basis for processing sensitive personal data by insurance companies. This raises uncertainty as to whether reliance on Section 26(5)(e) of the PDPA remains viable in practice.
Additional scenarios requiring consent
The amending notifications also provide further examples in which consent is required, including cases where insurance companies request the OIC to disclose general or sensitive personal data relating to a customer’s insurance policy for purposes such as underwriting, claims handling, or other policy‑related services.
What this means for the insurance industry
- The insurance industry should seek regulatory clarity from relevant authorities.
- Insurance companies may wish to take the opportunity to revisit the legal bases currently relied on, particularly in relation to the processing of sensitive personal data, and consider whether updates to relevant documents are required to align with the updated guidelines.
For more information on the impact of the amending notifications, please contact us.
* * * * *
Soravit Vongbunsin and Chayapisa Kositbenjapol, Associates, have contributed to this legal update.