(Patient Privacy Notice)
Thai Occupational Health Research Center, SEMED Living Care Hospital
Thai Occupational Health Research Center, SEMED Living Care Hospital, or Thai Occupational Health Research Center Co., Ltd. is committed to protecting your personal data as a recipient of medical examinations, treatments, and various services from the company. Your personal data will be protected in accordance with the Personal Data Protection Act B.E. 2562 (2019). As the data controller, the company is legally obligated to inform you through this document about the reasons and methods by which the company collects, uses, or discloses your personal data, as well as to inform you of your rights as the data subject.
Objectives
The company processes your personal data within the scope defined by the Personal Data Protection Act B.E. 2562 (2019) and only as necessary for such operations. The company has summarized the use of your personal data and explained the lawful basis of processing as follows:
Personal Data Collected by the Company The personal data that the company collects from you can be categorized as follows:
Definitions
Personal Data means any information relating to an identified or identifiable natural person, whether directly or indirectly, but does not include information of deceased persons.
Sensitive Personal Data means personal data pertaining to race, ethnicity, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union information, genetic data, biometric data (e.g., facial recognition data, iris scan data, fingerprint data), or any other data that affects the data subject in a similar manner as prescribed by the Personal Data Protection Committee.
Medical Records means the following data:
- Dates of medical visits
- Drug allergies and adverse drug reaction history
- Food allergies
- Diagnosed diseases, procedures, and surgeries
- Blood test results, laboratory results, biopsy pathology results, radiology images, and radiology reports
- Prescribed medications
- Other information such as symptoms, doctor’s recommendations, and diagnostic details
Processing means collecting, using, or disclosing.
Data Controller means a person or legal entity with the authority to make decisions regarding the collection, use, or disclosure of personal data.
Data Processor means a person or legal entity that collects, uses, or discloses personal data according to the instructions or on behalf of the Data Controller. The person or legal entity that performs such activities is not the Data Controller.
Network Hospitals means hospitals within the group or network of Bangkok Dusit Medical Services Public Company Limited, both operating within Thailand and internationally.
Personal Data Collected by the Company
The personal data collected by the company from you can be categorized as follows:
ประเภทข้อมูลส่วนบุคคล
Personal Data such as name, surname, ID card number, photo, gender, date of birth, passport, or other identification numbers.
Contact Data such as address, phone number, email.
Financial Data such as billing information, credit or debit card information, receipts, and invoice data.
Marketing Data such as information used for newsletter registration and participation in marketing activities.
Technical Data such as IP address, browser type, cookies information, time zone settings, operating system, platform, and device technology used to access the website and Online Appointment System.
Health Data such as medical records, physical and mental health reports, patient care information, laboratory test results, diagnoses, names of diagnosed diseases, medication and allergy information, food allergy history, blood test results, pathology biopsy results, radiology images and reports, prescribed medications, necessary medical service information, feedback, and treatment outcomes.
Sources of Personal Data Collected by the Company:
Direct sources from you:
Indirect sources:
- Individuals close to you, such as relatives or spouses.
- Authorized persons acting on your behalf when contacting the hospital.
- Network hospitals, if you have given consent to the network hospital to disclose your personal data.
- Individuals, legal entities, or organizations (government, private, or state enterprises) that refer you for medical services or pay for your services.
Disclosure or Sharing of Personal Data: The company will not disclose your personal data to external parties except as permitted by law and necessary for operations. The company may disclose personal data in the following cases:
- Disclosure to government agencies, authorized entities, or individuals as required by law or court order.
- Disclosure to individuals or legal entities necessary for the company to fulfill contractual obligations or for the benefit of you as the data subject. These individuals or entities are required to maintain confidentiality and protect your personal data according to the standards set by the Personal Data Protection Act B.E. 2562, including but not limited to:
- Network hospitals and Thai Occupational Health Group companies, as necessary for providing medical services. The company will disclose only the necessary personal data and maintain confidentiality as required by relevant laws, such as the Hospital Act B.E. 2541, National Health Act B.E. 2550, and Medical Profession Act B.E. 2525.
- Insurance companies or claim management service providers.
- Hospitals receiving patient referrals.
- Referrers or payers for the hospital’s services on your behalf.
- Personal data processors necessary for the company’s operations, such as contractors or service providers for laboratory testing, data processing, telecommunications, computer systems, payment processing, or technology services (Technology Outsource).
The company may store personal data on cloud computing systems provided by third parties, whether located in Thailand or abroad. The company carefully contracts with these third parties, considering the security measures they provide for personal data protection.
When you are a patient: The company collects your personal data when you contact the company for services, register for medical services, or other services provided by the company, either in person or through electronic means.
Retention Period of Personal Data
The company adheres to the standard retention period for medical records as per the Hospital Act B.E. 2541 and its latest amendments. The company will retain any personal data in the hospital’s system for at least 5 years from the date of record creation. However, for the benefit of medical treatment, the records will be kept until there has been no contact with the company for over 10 years from the date of your last treatment. After the 10-year period, all records, including the original, copies, and electronic records, will be destroyed.
In cases where the company must comply with laws or regulations of other professional councils, court orders, or establish legal claims to enter any dispute resolution process, the company may retain personal data for the duration of the statute of limitations as specified by such laws or regulations, or until the dispute is finally resolved, whichever is applicable.
Measures for the Retention and Processing of Personal Data
The company will retain personal data with measures not less than those required by law and with appropriate systems to protect and secure such personal data. Measures include using security protocols (Secure Sockets Layer: SSL), firewalls, passwords, and other technical measures for encrypting data transmitted over the internet, and storing data in locations with restricted access for physical documents.
The company limits access to personal data to employees, agents, partners, or external parties. External access to personal data is permitted only as specified or ordered, with an obligation to maintain confidentiality and protect personal data.
The company employs technological methods to prevent unauthorized access to computer systems.
The company has a monitoring system to manage the destruction of personal data that is no longer necessary for the company’s operations.
For sensitive personal data, the company will implement measures to secure both document and electronic data access and control. This includes usage and backup systems, emergency plans, and regular risk assessments of the system.
Transfer of Personal Data to Foreign Countries
In certain cases, the company may need to transfer your personal data to foreign countries. The company may proceed with such transfers after informing you of the purpose and obtaining your consent. The company will also inform you about the potentially inadequate personal data protection standards of the destination country.
The company may transfer your personal data without your consent if the transfer is necessary to fulfill a contract to which you are a party, to prevent or suppress danger to your life, body, or health, to carry out your requests prior to entering into a contract, or as required by the Personal Data Protection Act B.E. 2562 (2019).