Health Plaza Company Limited., a network company under Bangkok Dusit Medical Services Public Company Limited (BDMS) (“the company”), commits to protect your personal data as you undergo investigation, treatment and medical services including other services provided by our company. Your personal data will be protected under the Personal Data Protection Act B.E. 2562. The company served as a controller of such personal data is responsible by law for notifying you of this document for reasons and methodology the company collects, gathers, uses or discloses your personal data, including informing you your rights as an owner of such personal data.
The company analyzes your personal data under a defined scope by the Personal Data Protection Act B.E. 2562, and analyzes the data only as necessary for aforementioned actions. The company therefore concludes the use of your personal data, as well as explaining the Lawful Basis of Processing for your personal data as below details.
1. For Purposes of medical investigation and providing medical services
1.1 Medical Services in health providers of the company
Company’s teams of physicians, nurses and/or other staffs in health teams will record your personal data and take such information for consultation with physicians or medical staffs including taking imaging and video for further follow up and/or any actions according to relevant professional principles throughout the period you are receiving the services as the company explains detailed information for your understanding prior to starting any services and lets you ask questions until you are satisfied.
1.2. Medical services if necessary to link data between network health providers
For providing you benefits of medical services, the company’s teams of physicians, nurses and/or other relevant staffs may disclose your personal data to network health providers if necessary to use the data between the network health providers to provide some types of medical services. The company establishes measures to protect personal data by agreements among network health providers to prevent unlawful processing of your personal data or without authority.
1.3 To refer patients between health providers
In case, the company puts or receives a request for referral of patient from one provider to another or from one provider to the company’s provider according to referral as set by the company. The company proceeds with referral according to the company’s defined standards and will use your personal data for the purpose of referral only not for other purposes.
Type of data: identification data/ contact data/ health data/ financial data
1. Is necessary for complying with the agreement of receiving medical treatment as a counterparty of the company (Section. 24(3))
2. For sensitive personal data: legal practice bases in diagnosis and medical treatments such as Medical Facility Act B.E. 2541 and Medical Profession Act B.E. 2525 (Section. 26(5)(A)).
3. For sensitive personal data: To prevent or suppress threats to life, body or health, in case the owner of personal data cannot give self-consent such as undergoing Emergency care or referral between health providers (Section.26 (1))
2. For a purpose of analysis study to develop quality of treatments by unidentified personal data
The company may use your personal data for analysis study to develop quality of treatments by an overall report with unidentified owners of personal data and the company strictly maintains confidentiality of such data.
Type of data: statistical data
Lawful processing: as for Legitimate Interest in analysis of statistic data using unidentified personal data to develop and increase efficacy of organization for medical treatments and other services by the company (Section. 25 (5))
3. Disclosure of the data to your insurance companies or contracts for purposes of rights to claim compensation from insurance companies or to reimburse medical claims
The company needs to disclose your personal data to insurance companies to comply with a contract that you or the company makes with the insurance companies for compensation or medical reimbursement. Indeed, the company will not disclose your personal data to irrelevant parties.
Type of data: identification data/ contact data/ health data
Lawful processing: Upon receipt of your intended consent for disclosure of your personal data: health data to insurance companies for a right to claim compensation from the insurance companies or to reimburse medical claims (Section. 26)
4. Disclosure of the data to a party referring you for investigation or a payer when you give consent for disclosure of personal data
In case agency of either government, private sector or state enterprise refers you to the company for treatments or is a payer for your medical expenses, the company will disclose your health data which is sensitive personal data to the aforementioned agency only if you give consent to disclose your data to the agency. The company will directly send you the result of investigation.
Type of data: identification data / contact data/ health data
Lawful processing: Upon receipt of your intended consent for disclosure of personal data (Section. 26)
5. For purpose of linking electronic database of medical records among health providers via mobile application
Once you give consent, the company will enter your personal data into computer system in a format of mobile application for your convenience to receive consultation via the application and for you to manage your data via the application. To maximize benefits, the system will link electronic database of medical records among network health providers for you to browse your existing personal data maintained by the providers via electronic devices as the company makes agreement with network health providers to protect your personal data in compliance with Personal Data Protection Act B.E. 2562.
Type of data: identification data/ contact data/ health data
Lawful Processing: Upon receipt of your intended consent for disclosure of personal data among health providers (Section. 26)
6. For Marketing Purposes
The company may collect, gather, use and analyse personal data for analysing your health condition and contacting you for communication, providing medical information and offering promotion, products and services according to your consent
Type of data: identified data/ contact data/ information of subscription and participation in marketing activities
Lawful Processing: The company will perform this after receiving your consent to the company to use your health data for marketing purposes (Section 26)
7. To comply with a contract as you are a vendor to the company or process your request for making a contract with the company
The company will process your personal data as you are a vendor with the company for the actions below:
Type of data: identification data / contact data
Lawful Processing: It is necessary to comply with a contract as you are a vendor with the company or to process your request for making a contract with the company (Section. 24 (3))
Apart from the aforementioned purposes, the company will not use your personal data for other purposes unless Personal Data Protection Act B.E. 2562 permits such as
“Personal Data” includes information related to an individual that is identifiable either directly or indirectly excluding the information of the decreased particularly
“Sensitive personal data” includes individual data related to race, ethnicity, political opinion, beliefs, religion or philosophy, sexual behavior, criminal records, health information, disability, trade union information, genetic data, biometric data (such as facial image data, iris data, fingerprint data) or any other information that affects the owner of personal data in a similar manner as defined by committee of personal data protection
“Health information” includes the following information
“Processing” includes collect, gather, use or disclose
“Personal data controller” includes individual or juristic person who has authority in decision making about collection, gathering, use or disclosure of personal data
“Personal data processor” includes individual or juristic person who performs collection, gathering, use or disclose of personal data according to orders or on behalf of a personal data controller, in addition, the individual or juristic person performing actions as above must not be a personal data controller.
“Bangkok Dusit Medical Services Group” includes companies in BDMS network that already exist or will exist in the future, both registered in Thailand and overseas, including Bangkok Dusit Medical Services Company limited
“Network Health provider” includes health providers in a group or network of BDMS operating both in Thailand and overseas
1. Personal Data the company collects from you
Your personal data collected by the company can be classified as below details
Types of personal data
1. Personal data such as name, surname, ID card number, face image, gender, date of birth, passport number or other identifiable numbers
2. Contact data such as address, telephone number, e-mail address
3. Financial data such as billing information, credit or debit card information, receipt information, invoice information
4. Marketing data: subscription information and marketing participation such as information used for receiving information and participating in marketing activities
5. Statistical Data such as unidentified information, the number of patients, a number of website traffic
6. Technical data from visiting the website such as IP Address of computer, type of browser, Cookies information time zone setting, operating system, platform and technology of devices used for accessing website and Online Appointment System
7. Health data such as treatment information, reports about physical or mental health condition, health cares of service receivers, laboratory test results, diagnosis, diagnosis of disease, information about drug use and drug allergy, history of food allergy, blood result, laboratory result, pathological result, radiological images and radiological report, list of prescribed medication, necessary information for medical services, information of feedback and treatments
2. Sources of Personal Data
The company collects your data from the following sources
1. Personal data directly collected from you such as
1.1 In case you receive investigation and treatment, the company receives your personal data from you contact the company about services or you register for receiving medical services and other services from the company, including registration via electronic media
1.2 In case you are a vendor of the company, the company receives your personal data from you because you contact the company to ask about going to provide services to the company or the company collects your personal data as you are a vendor who makes a contract with the company.
2. Personal data indirectly collected such as
2.1 Persons who are close to you such as relatives, spouse etc.
2.2 Person you give authority to act on your behalf in contacting with the company
2.3 Network health providers, in case you already give consent to the network health providers for disclose of your personal data
2.4 Person, juristic person or agency of any government, private sector, or state enterprise who sends you for investigation or services to the company or is a payer for your service expenses
3. Disclosure or sharing of personal data
The company will not disclose your personal data to outside parties except when laws permit for needs in operation so the company may disclose your personal data for the following cases
1. Disclose personal data to government agency, authority agency or any person when laws define or authorize, including following court orders
2. Disclose personal data to individual or juristic person the company needs to comply with contract or for your benefits as an owner of personal data. The company requires those individual or juristic person must maintain confidentiality and protect your personal data according to standards as defined by Personal Data Protection Act B.E. 2562, including but not limited to individual or juristic persons as listed below
3. The company may maintain your personal data in Cloud Computing by using such services from the third party located in Thailand or overseas. The company makes a contract with mentioned persons very thoroughly and considers safety system in maintaining personal data that Cloud Computing service provider inregard to personal data protection
4.Duration of personal data retention
5. Measures of personal data maintenance and analysis
6. Overseas transfer of personal data
8. Rights of personal data owner
As a personal data owner, you have rights to request the company to process your personal data according to scope allowed by laws as below
1. Right to withdraw consent: you have rights to withdraw your consent for personal data processing as consented to the company anytime throughout the period your personal data stored in the company
2. Right of access: you have rights to access your personal data and request the company for a copy of aforementioned personal data, including requesting the company to disclose the acquisition of your personal data you did not give your consent
3. Right to rectification: you have rights to request the company to correct incorrect data or add missing data
4. Right to erasure: you have rights to request the company to erase your data for some reasons
5. Right to restriction of processing: you have rights to request the company to suppress the use of your personal data for some reasons
6. Right to data portability: you have rights to transfer your personal data maintained by the company to other data controllers or yourself for some reasons
7.Right to object: you have rights to object to your personal data processing for some reasons
You can contact Data Protection Officer: DPO through the company service center to submit your request per aforementioned rights to
9. Changes of Personal Data Protection Policy
The company may review and change personal data protection policy in the future to develop better personal data protection, the company will notify you every time the mentioned policy changes
10. Contact channel
You can contact a data controller, inquiry or use any right related to personal data with Data Protection Officer: DPO
E-mail: [email protected]
Health Plaza Company Limited
2/4 Wireless Road,Lumphini sub distric ,Pathumwan district, Bangkok 10330