Policy Framework

Health Plaza Company Limited., a network company under Bangkok Dusit Medical Services Public Company Limited (BDMS) (“the company”), commits to protect your personal data as you undergo investigation, treatment and medical services including other services provided by our company. Your personal data will be protected under the Personal Data Protection Act B.E. 2562. The company served as a controller of such personal data is responsible by law for notifying you of this document for reasons and methodology the company collects, gathers, uses or discloses your personal data, including informing you your rights as an owner of such personal data.

Objectives

The company analyzes your personal data under a defined scope by the Personal Data Protection Act B.E. 2562, and analyzes the data only as necessary for aforementioned actions. The company therefore concludes the use of your personal data, as well as explaining the Lawful Basis of Processing for your personal data as below details.

1. For Purposes of medical investigation and providing medical services

1.1.     Medical Services in health providers of the company

Company’s teams of physicians, nurses and/or other staffs in health teams will record your personal data and take such information for consultation with physicians or medical staffs including taking imaging and video for further follow up and/or any actions according to relevant professional principles throughout the period you are receiving the services as the company explains detailed information for your understanding prior to starting any services and lets you ask questions until you are satisfied.

1.2.     Medical services if necessary to link data between network health providers 

For providing you benefits of medical services, the company’s teams of physicians, nurses and/or other relevant staffs may disclose your personal data to network health providers if necessary to use the data between the network health providers to provide some types of medical services. The company establishes measures to protect personal data by agreements among network health providers to prevent unlawful processing of your personal data or without authority.  

1.3.     To refer patients between health providers

In case, the company puts or receives a request for referral of patient from one provider to another or from one provider to the company’s provider according to referral as set by the company. The company proceeds with referral according to the company’s defined standards and will use your personal data for the purpose of referral only not for other purposes.

Type of data: identification data/ contact data/ health data/ financial data

Lawful Processing:

    1.       Is necessary for complying with the agreement of receiving medical treatment as a counterparty of the company (Section. 24(3))

   2.       For sensitive personal data: legal practice bases in diagnosis and medical treatments such as  Medical Facility Act B.E. 2541 and Medical Profession Act B.E. 2525 (Section. 26(5)(A)).

    3.       For sensitive personal data: To prevent or suppress threats to life, body or health, in case the owner of personal data cannot give self-consent such as undergoing Emergency care or referral between health providers (Section.26 (1))

2. For a purpose of analysis study to develop quality of treatments by unidentified personal data

The company may use your personal data for analysis study to develop quality of treatments by an overall report with unidentified owners of personal data and the company strictly maintains confidentiality of such data.

Type of data: statistical data

Lawful processing: as for Legitimate Interest in analysis of statistic data using unidentified personal data to develop and increase efficacy of organization for medical treatments and other services by the company (Section. 25 (5))

3. Disclosure of the data to your insurance companies or contracts for purposes of rights to claim compensation from insurance companies or to reimburse medical claims  

The company needs to disclose your personal data to insurance companies to comply with a contract that you or the company makes with the insurance companies for compensation or medical reimbursement. Indeed, the company will not disclose your personal data to irrelevant parties. 

Type of data: identification data/ contact data/ health data

Lawful processing: Upon receipt of your intended consent for disclosure of your personal data: health data to insurance companies for a right to claim compensation from the insurance companies or to reimburse medical claims (Section. 26)

4. Disclosure of the data to a party referring you for investigation or a payer when you give consent for disclosure of personal data

In case agency of either government, private sector or state enterprise refers you to the company for treatments or is a payer for your medical expenses, the company will disclose your health data which is sensitive personal data to the aforementioned agency only if you give consent to disclose your data to the agency. The company will directly send you the result of investigation.

Type of data: identification data / contact data/ health data

Lawful processing: Upon receipt of your intended consent for disclosure of personal data (Section. 26)

5. For purpose of linking electronic database of medical records among health providers via mobile application or other online platforms

Once you give consent, the company will enter your personal data into a computer system in the format of a mobile application or other online platforms for your convenience to receive consultations via the application or other online platforms, as well as to manage your data via the application or other online platforms. To maximize benefits, the system will link electronic databases of medical records among network health providers, allowing you to browse your existing personal data maintained by the providers via electronic devices. The company will make agreements with network health providers to protect your personal data in compliance with the Personal Data Protection Act B.E. 2562.    

Type of data: identification data/ contact data/ health data

Lawful Processing: Upon receipt of your intended consent for disclosure of personal data among health providers (Section. 26)

6. For Marketing Purposes

The company may collect, gather, use and analyse personal data for analysing your health condition and contacting you for communication, providing medical information and offering promotion, products and services according to your consent

Type of data: identified data/ contact data/ information of subscription and participation in marketing activities

Lawful Processing: The company will perform this after receiving your consent to the company to use your health data for marketing purposes (Section 26)  

7. To comply with a contract as you are a vendor to the company or process your request for making a contract with the company

The company will process your personal data as you are a vendor with the company for the actions below:

       ·         Communicate with you for activities related to making contract both prior to or after the contract made  

       ·         Be a payer for expenses and wages related to compliance with the contract

       ·          Check for completion and success of performance according to the contract

       ·         Maintain personal data for Internal Audit and other audits according to business standards

Type of data: identification data / contact data

Lawful Processing: It is necessary to comply with a contract as you are a vendor with the company or to process your request for making a contract with the company (Section. 24 (3))

Apart from the aforementioned purposes, the company will not use your personal data for other purposes unless Personal Data Protection Act B.E. 2562 permits such as

• Upon receipt of your consent (Section. 24) or upon receipt of intended consent in case of using sensitive personal data (Section. 26)
• For analysis study or statistic which establishes appropriate protection measures to protect personal data, right and liberty of an owner of personal data (Section. 24(1)) 
• To prevent, suppress threats to life, body or health (Section. 24(2)) 
• To comply with a contract between the company and you (Section. 24 (3))
• To perform duties according to the company’s mission for public interests (Section. 24 (4))
• Legitimate Interest of the company or person or other juristic person except the aforementioned interest is less important than basic rights of personal data owner (Section. 24(3))   
• For legal compliance of the company (Section. 24 (6))
• To prevent, suppress threats to life, body or health in case the use of sensitive personal data when the owner cannot give self-consent regardless of any causes (Section. 26 (1))
• For establishment of rights for legal claims (Section. 26 (4))
• For public health interests or other social protection as the company establishes appropriate measures to protect basic rights and benefits of personal data owner (Section. 26 (5) (B))
• For needs to comply with Labor protection law, provision of medical welfare, social security (Section. 26(5) (C))

Definition

“Personal Data” includes information related to an individual that is identifiable either directly or indirectly excluding the information of the decreased particularly

“Sensitive personal data” includes individual data related to race, ethnicity, political opinion, beliefs, religion or philosophy, sexual behavior, criminal records, health information, disability, trade union information, genetic data, biometric data (such as facial image data, iris data, fingerprint data) or any other information that affects the owner of personal data in a similar manner as defined by committee of personal data protection

“Health information” includes the following information

• Date, month, year of receiving medical treatment  
• History of drug allergy and history of drug side effects  
• History of food allergy
• Diagnosis of disease, procedure name, surgery name
• Blood result, laboratory result, pathological result, radiological images, radiological report
• List of prescribed medication
• Other information such as symptoms, physician’s advice, diagnostic details

“Processing” includes collect, gather, use or disclose

“Personal data controller” includes individual or juristic person who has authority in decision making about collection, gathering, use or disclosure of personal data

“Personal data processor” includes individual or juristic person who performs collection, gathering, use or disclose of personal data according to orders or on behalf of a personal data controller, in addition, the individual or juristic person performing actions as above must not be a personal data controller.

“Bangkok Dusit Medical Services Group” includes companies in BDMS network that already exist or will exist in the future, both registered in Thailand and overseas, including Bangkok Dusit Medical Services Company limited

“Network Health provider” includes health providers in a group or network of BDMS operating both in Thailand and overseas  

Practice Guideline

1. Personal Data the company collects from you

Your personal data collected by the company can be classified as below details

Types of personal data

    1.       Personal data such as name, surname, ID card number, face image, gender, date of birth, passport number or other identifiable numbers  

    2.       Contact data such as address, telephone number, e-mail address

    3.       Financial data such as billing information, credit or debit card information, receipt information, invoice information

   4.       Marketing data: subscription information and marketing participation such as information used for receiving information and participating in marketing activities

    5.       Statistical Data such as unidentified information, the number of patients, a number of website traffic

    6.       Technical data from visiting the website such as IP Address of computer, type of browser, Cookies information time zone setting, operating system, platform and technology of devices used for accessing website and Online Appointment System

   7.       Health data such as treatment information, reports about physical or mental health condition, health cares of service receivers, laboratory test results, diagnosis, diagnosis of disease, information about drug use and drug allergy, history of food allergy, blood result, laboratory result, pathological result, radiological images and radiological report, list of prescribed medication, necessary information for medical services, information of feedback and treatments   

2. Sources of Personal Data

 The company collects your data from the following sources

2.1.     Personal data directly collected from you such as  

2.1.1.  In case you receive investigation and treatment, the company receives your personal data from you contact the company about services or you register for receiving medical services and other services from the company, including registration via electronic media or other online platforms.

2.1.2.  In case you are a vendor of the company, the company receives your personal data from you because you contact the company to ask about going to provide services to the company or the company collects your personal data as you are a vendor who makes a contract with the company.  

2.2.     Personal data indirectly collected such as

2.2.1.  Persons who are close to you such as relatives, spouse etc.

2.2.2.  Person you give authority to act on your behalf in contacting with the company

2.2.3.  Network health providers, in case you already give consent to the network health providers for disclose of your personal data

2.2.4.  Person, juristic person or agency of any government, private sector, or state enterprise who sends you for investigation or services to the company or is a payer for your service expenses

3. Disclosure or sharing of personal data

The company will not disclose your personal data to outside parties except when laws permit for needs in operation so the company may disclose your personal data for the following cases  

    1.       Disclose personal data to government agency, authority agency or any person when laws define or authorize, including following court orders

    2.       Disclose personal data to individual or juristic person the company needs to comply with contract or for your benefits as an owner of personal data. The company requires those individual or juristic person must maintain confidentiality and protect your personal data according to standards as defined by Personal Data Protection Act B.E. 2562, including but not limited to individual or juristic persons as listed below  

●        Network health providers and BDMS group as necessary as for providing investigation and medical services to you as the company will disclose personal data only as necessary and the company will maintain confidentiality of your personal data as its duties complied with relevant laws such as Medical facility Act B.E. 2541, National Health Act B.E. 2550 and Medical Profession Act B.E. 2525

●        Insurance company or its provider managing compensation

●        Health provider servicing patient’s referral

●        The one referring you for investigation or services at a health provider or paying service expenses for you

●        Important personal data analyst to operation of the company such as employee or laboratory service provider, database management, telecommunication, computer system, payment or provider of Technology Outsource

   3.       The company may maintain your personal data in Cloud Computing by using such services from the third party located in Thailand or overseas. The company makes a contract with mentioned persons very thoroughly and considers safety system in maintaining personal data that Cloud Computing service provider in regard to personal data protection

4.Duration of personal data retention

    1.       The company uses standards of duration for retention of medical records in accordance with Medical Facilities Act B.E. 2541 and the latest version, the company will maintain medical records not longer than 10 years from the latest medical visit, upon completion of 10 year duration, all original medical records, copy and electronic medical records will be disposed  

    2.       In case the company must comply with laws, court order or establish rights for legal claims to enter dispute resolution processes, the company may maintain such personal data for the duration according to the legal statute or until the dispute is final as the case may be.   

5. Measures of personal data maintenance and analysis  

    1.       The company will manage the retention of personal data with standards not less than a level required by law and with appropriate system to protect and safeguard such personal data such as the use of Secure Sockets Layer: SSL, protected by firewall, password and other technology measures for encryption of information via the internet, and store in a facility with access protection system that limits the person’s access to personal data kept in a document form.

    2.       The company limits access to personal data that may be accessed by staffs, agents, partners or third party. Access to personal data by the third party can be done according to setting or order. Also, the third party is responsible for maintaining confidentiality and personal data protection

    3.       The company applies technology methods to protect unauthorized access to the computer system

    4.       The company has inspection system to manage the destruction of unnecessary personal data for the company’s operation

    5.       In case of sensitive personal data, the company applies measures to maintain the security of documentation and electronic data for access and control of the use as well as having operating system and backup including emergency plan and conducting regularly risk assessment of the system

6. Overseas transfer of personal data

   1.       In some cases, the company may need to transfer your personal data overseas, the company may perform the transfer after notifying you of objectives of the transfer and receiving your consent. Then the company may inform you about insufficient standards of personal data protection of the destination country

   2.       The company can transfer your personal data without your consent in case the transfer of personal data to overseas is in accordance with a contract you are a partner or the use according to your request prior to making that contract or according to requirements in Personal Data Protection Act B.E. 2562

7. Cookie Policy

When you visit our website, the company uses cookies to ensure you will receive good experience from using the company’s website. Cookie is a small file that stores information and records on to computer devices or communication tools when you access via web browser you choose while visiting the website.

The company uses cookies to collect identity of your website visit, with identity the company can remember the nature of your website using more easily and such data will be used for development of the company website to match with your needs more. For convenience and speed of your website usage sometimes the company may authorize a third party for this operation which may need IP address and cookie for analysis, data link and processing according to marketing purposes. You can set cookies when you enter the company website as you can choose to allow or not allow cookies to perform analysis, data link and processing according to marketing purposes.

8. Rights of personal data owner  

As a personal data owner, you have rights to request the company to process your personal data according to scope allowed by laws as below

   1.       Right to withdraw consent: you have rights to withdraw your consent for personal data processing as consented to the company anytime throughout the period your personal data stored in the company

    2.       Right of access: you have rights to access your personal data and request the company for a copy of aforementioned personal data, including requesting the company to disclose the acquisition of your personal data you did not give your consent 

    3.       Right to rectification: you have rights to request the company to correct incorrect data or add missing data

    4.       Right to erasure: you have rights to request the company to erase your data for some reasons

    5.       Right to restriction of processing: you have rights to request the company to suppress the use of your personal data for some reasons  

    6.       Right to data portability: you have rights to transfer your personal data maintained by the company to other data controllers or yourself for some reasons  

    7.       Right to object: you have rights to object to your personal data processing for some reasons

You can contact Data Protection Officer: DPO through the company service center to submit your request per aforementioned rights to

·         Call center: telephone number 02-310-3899, LINE official account: @BeDeebyBDMS or;

·         Health Plaza company limited: 2/4 Wireless Road, Lumphini sub distric ,Pathumwan district, Bangkok 10330

9. Changes of Personal Data Protection Policy

The company may review and change personal data protection policy in the future to develop better personal data protection, the company will notify you every time the mentioned policy changes

10. Contact channel

You can contact a data controller, inquiry or use any right related to personal data with Data Protection Officer: DPO

                                E-mail: [email protected]

                                Health Plaza Company Limited

                                2/4 Wireless Road,Lumphini sub distric ,Pathumwan district, Bangkok 10330