Privacy Policy for patients who receive medical examination and treatment 

Vimut Hospital Company Limited (hereinafter referred to as “Hospital”) commit to protect your personal data as a patient who undergoes examination, treatment, and medical services including other services provided by the Hospital. Your Personal Data will be protected under the Personal Data Protection Act B.E. 2562 and/or secondary laws relating to personal data protection (collectively the “Applicable Personal Data Protection Laws”). The Hospital, as the Data Controller, is legally obligated to notify you of this policy of the purposes and methodology by which the Hospital collects, uses, discloses and/or transfers your Personal Data to a foreign country, as well as to ensure that your Personal Data is protected and kept safe in accordance with Personal Data protection laws, and to inform you of your rights as the Data Subject. The Hospital, therefore, encourages you to read and understand this Policy. The details are as follows:

1 Definitions

    In this policy, words and phrases can be defined as follows:

2 Collection of Personal Data

   2.1 Types of Personal Data collected as follows:

  2.2 Personal Data of minor, quasi-incompetent person, and incompetent person. The Hospital does not intend to collect Personal Data of minor, quasi-incompetent person, or incompetent person unless the Hospital obtains the consent from the parental guardian, (where the consent is required and the minor is unable to give consent on his own) guardian or curator (as the case maybe). Nonetheless, in case where the Hospital has collected Personal Data of a person who is a minor, quasi-incompetent, or incompetent without consent from the person exercise parental power to act on behalf of such minor, guardian, or curator (as the case maybe), the Hospital shall delete those Personal Data as soon as practicable. Unless, the Hospital has a legitimate ground with legal basis to collect, use, disclose their Personal Data and/or transfer their Personal Data to foreign countries. Failure to provide Personal Data to the Hospital may affect you. For example, the Hospital may be unable to perform the actions you have requested, such as providing advice or treatment, and the Hospital may be unable to offer or provide medical treatment or services as appropriate, which may cause inconvenience.

3 Sources of Personal Data

   3.1 The Hospital obtained Personal Data directly from you. In case, you undergo an examination and receive treatment, the Hospital receives your Personal Data from you by contacting the Hospital about services or self-registering for medical treatment and other services from the Hospital, including registering via electronic means.

   3.2 The Hospital may receive your Personal Data from third parties, including people who are close to you such as your parental guardians, spouse, children, referrals, emergency contacts, caregiver of people with disabilities, relatives, etc. Person whom you have authorized to act on your behalf in contacting the affiliated Hospitals, in the event that you have given consent to affiliated Hospitals that it can disclose your Personal Data. A natural person, a juristic person, or an agency whether government, private or state enterprise that refer you for an examination or services from the Hospital or is the person who is responsible for service expense. If you provide Personal Data of third parties to the Hospital, affiliated Hospitals, parental guardians, spouse, children, people who are close to you, referrals, emergency contacts, caregivers of people with disabilities, you are responsible to provide information on this Policy to third parties to aware of the collection, use, disclosure, and/or oversea transfer of Personal Data, seeking consent, or having other legal basis for collection, use, disclosure, and/or oversea transfer of Personal Data of such third parties and to ensure that the Hospital can collect, use, disclose, and/or transfer Personal Data to foreign countries in accordance with the law.

4 Purposes of Processing of Personal Data

   The Hospital collects, uses, and/or discloses Personal Data of your Personal Data by relying on lawful basis to collect, use, and/or disclose, for the following purposes:

   4.1 For a purpose of examination and providing medical treatment. The team of doctors, nurses, and other staff in the Hospital’s health team will record your Personal Data and use your Personal Data to consult with doctors or health care professionals. This includes taking still images and videos for accessing readiness of patient before, during, and after special diagnosis, for further follow-up and/or any actions in accordance with the relevant professional principles throughout the period you receive the services. The Hospital will explain detailed information for you to understand before proceeding and give you the opportunity to ask questions until your satisfaction is met.

   4.2 For a purpose of analytical studies to improve the quality of medical care. The Hospital may use Personal Data and Sensitive Data such as medical examination results, laboratory or radiology results, etc., to be used for analytical studies for improving the quality of medical care, to improve and develop the process of providing services, and to store information in a database of the affiliated hospitals. In this regard, the Hospital and its personnel of the health care facility have a strict duties to maintain the confidentiality of your Personal Data.

   4.3 For a purpose to provide services or deliver services of the Hospitalsuch as sending doctor appointment reminders, sending newsletter, and recommending the Hospital’s services.

   4.4 For accounting or financial purposessuch as storing all types of payment document of service recipients, financial evidence and accounting records, verification of credit card payments etc.

   4.5 For a purpose of exercising the right to claim compensation from the insurance company or the right to reimburse medical expenses, the Hospital is required to disclose your Personal Data to the insurance company in order to perform under the contract that you or the Hospital has made with the insurance company, and for the benefit to claim compensation or reimbursement. The Hospital will not disclose your Personal Data to any unrelated person.

   4.6 For marketing purposes promotion, and customer relations such as sending information about promotions, products, and services, creating a membership card to offer benefits, promotional items and business partners.

   4.7 For a purpose of conducting research and publishing articles the Hospital may use your Personal Data, Medical Information which is considered Sensitive Data including health examination results and other health-related information such as congenital disease, treatment history, food and drug allergy history, laboratory results etc., to be used to send information about research project to verify correctness, to send the research results, summary, articles, abstracts, to send detailed information about the research to Human Research Ethics Committee for consideration, to send information to analyze and summarize from outsourcing, to send research information to research center for analysis and conclusion, to send research information to external committee for consideration, to send research information to sponsor companies, to analyze research results and research summary.

   4.8 For a purpose to prevent improper or illegal acts (or for security purposes).The Hospital may record and store CCTV data which installed around the buildings and various locations according to security measures to prevent the danger that may occur to the occupants of the buildings or cause damage to the Hospital.

   4.9 For complying with any law, regulations, or request from a government agency, such as documentary witnesses in cases related to the law, compliance with the court orders, or other legitimate requests.

   In addition to the purposes stated above, the Hospital will not use your Personal Data for other purposes except where permitted by the Personal Data Protection Act B.E. 2562 such as:

1. Upon obtaining your consent (Section 24) or upon obtaining your explicit consent in case of Sensitive Data (Section 26)
2. For analysis study or statistic which establishes appropriate protection measures to protect Personal Data, right and liberty of the Data Subject. (Section 24(1))
3. For preventing or suppressing a danger to a person’s life, body, or health in case the Data Subject cannot give consent. (Section 24(2))
4. For the performance of a contract between the Hospital and you. (Section 24(3))
5. For the performance of a task carried out in the public interest of the Hospital (Section 24(4))
6. For the legitimate interest of the Hospital or natural person or juristic person except the aforementioned interest is less important than the fundamental rights of the Data Subject (Section. 24(5))
7. For legal compliance of the Hospital (Section. 24 (6))
8. For establishment or defense of legal claims (Section. 26 (4))
9. For the interest of public health or protection of any other public interests, where the Hospital has put in place appropriate measures to protect the fundamental rights and interests of the Data Subjects (Section 26 (5) (b))
10.  For the compliance with laws relating to labour protection, medical service benefits, and social security (Section 26 (5) (c))

5 Disclosure of Personal Data

   The Hospital shall only disclose your Personal Data under the informed purposes above to related individuals or agencies are as follows:

   5.1 Affiliated Hospitals, in which the Hospital may disclose to employees or personnel affiliated Hospitals as necessary for processing in accordance with purposes as informed.

   5.2 Government agencies, regulatory authorities, or other agencies under the law including officers or agencies that have duties or exercise right according to the law such as the Revenue Department, Office of Personal Data Protection Commission, Royal Thai Police, courts, hospital, and/or any other relevant government agencies or requesting information on a case-by-case basis.

   5.3 Insurance companies or their compensation managing providers;

   5.4 Hospitals that the patients are referred to;

   5.5 The person who refers you to be exanimated or to receive services from a health provider, or third-party payor;

   5.6 Service provider who acts as a Data Processor which the Hospital has designated or hired for the purpose of managing or Processing the data for the Hospital in various services, such as laboratory services, security services, information technology services, or other services relating to the operation of the Hospital, or services which may benefit you; and

   5.7 The Hospital may disclose to affiliated Hospital, branches of Vimut Hospital Company Limited, companies in the housing business group of Pruksa Real Estate Public Company Limited, and other companies in the Pruksa Group (including but not limited to Panalee Estate Company Limited/ Phutthachad Estate Company Limited). The Hospital will rely on consent the Hospital obtained from you in which you gave consent to disclose your Personal Data to such employees or agencies.

6 Cross-Border Personal Data transfer

   The Hospital may send or transfer your Personal Data to foreign countries, (for example, for cloud backups server located oversea) where such destination countries may or may not have the same Personal Data protection standard as Thailand. Therefore, the Hospital will carry out various procedures and measures to ensure the safe transfer of Personal Data and also to ensure that the recipient of Personal Data has adequate Personal Data protection standards set forth by laws or falls under exceptions as required by Personal Data Protection Law.

7 Retention Period in storing Personal Data

   7.1 The Hospital uses standards retention period of medical records in accordance with Medical Facilities Act B.E. 2541 and the latest version. The Hospital will maintain medical records in its system no longer than 10 years from the latest medical visit. Once completion of 10 years, all original medical records, copies and electronic medical records will be disposed.

   7.2 In the event that the Hospital is required to comply with the laws, court orders, or must establish rights for legal claims to enter dispute resolution processes, the Hospital may maintain such personal data for duration in the legal statute or until the dispute is final, as the case may be.

   At the end of retention period, the Hospital will delete or destroy Personal Data or anonymize Personal Data as unidentifiable data.

8 Links to the Website of Third Parties

   The Hospital’s Website may contain links to third parties’ websites. Such third parties may collect certain information about your use of the service in which the Hospital cannot be held responsible for your security or privacy information that is collected by the third parties. You should exercise caution and review privacy policy of those third parties’ websites, products, and services..

9 Rights of the Data Subject

   As a Data Subject, you have the right to request the Hospital to process your Personal Data according to scope allowed by laws as follows:

   9.1 You have rights to access your Personal Data or request a copy of aforementioned Personal Data from the Hospital or request the Hospital to inform any acquisitions of Personal Data in which consent has not been given.

   9.2 You have rights to request the Hospital to rectify information so that it is correct, be current complete and not misleading. In the case where you foresee that such Personal Data is inaccurate, outdated, incomplete, or may cause misunderstanding

   9.3 You have rights to withdraw your consent for the Hospital to collect, use, and/or disclose your Personal Data at any time. Unless the revocation of consent is limited by law or contract that benefits you such as you still have debt or are bound by legal obligations towards the Hospital. Nevertheless, your withdrawal of consent may prevent you from receiving services or transacting with the Hospital, or it may reduce the efficiency of the services to be received from the Hospital.

   9.4 You have rights to receive your Personal Data from the Hospital. In case the Hospital has made Personal Data in a readable or generally usable form by automatic tools or devices that can be used or disclosed in automatic means. You may request the Data Controller to send or transfer the Personal Data in such formats to other Data Controllers if it can be done by the automatic means, and request to directly obtain the Personal Data in such formats that the Hospital sends or transfers to other Data Controllers, unless it is impossible to do so because of the technical circumstances.

   9.5 You have rights to object to the processing of Personal Data relating to you at any time in the following cases:

(1) In a case of information is collected for reasons of necessity for the operation of the Hospital’s public interest or for legitimate benefits of the Hospital.

(2) In a case of processing Personal Data for direct marketing purposes.

(3) In a case of processing Personal Data for scientific, historical, or statistical research, unless necessary for the public interest of the Hospital

   9.6 You have rights to request the Hospital to delete or destroy or make your Personal Data non-identifiable.

   9.7 You have rights to request the Hospital to suspend the use of Personal Data as following cases:

(1) When the Hospital is in the process of investigation as requested by you, to ensure that your Personal Data is accurate, current, complete, or does not cause misunderstandings.

(2) When it is Personal Data that must be deleted or destroyed because it is Personal Data that is processed unlawfully, but you request to suspend the use instead.

(3) When Personal Data is no longer necessary for the Hospital to keep, but you need the Hospital to keep it in order to establish legal rights, compliance, or exercise of legal claims, or use as defense in legal claim.

(4) When you exercise your rights to object the processing of Personal Data, and the Hospital is in the process of proving to deny the exercise of your rights.

   9.8 You have right to file a complaint with a panel of experts in accordance with Personal Data Protection Law. In case of the Hospital or Personal Data Processor including employees and contractors of the Hospital or Personal Data Processor violate or fail to comply with Personal Data Protection Law or legal announcement.

   In this regard, the Hospital reserves the rights to consider the request for the exercise of the above rights and act in accordance with Personal Data Protection Law. If you wish to exercise the above rights, you can do so by contacting the Hospital via email or website.

Security Measures for Storing Personal Data

   Hospital recognizes the importance of maintaining the security of your Personal Data. The Hospital, therefore, requires measures to appropriately maintain the security of Personal Data to prevent the loss, access, destruction, use, alteration or disclosure of Personal Data by unauthorized persons in order to comply with the policies and/or guidelines for maintaining the information technology security of the Hospital.

   The Hospital will provide measures to maintain the security of Personal Data including administrative protection measures. Technical precautions and physical safeguards in relation to access or control of the use of Personal Data which consists of one of the following actions:

   1) Implementing access control of the Personal Data and equipment used for storing and Processing Personal Data, with utmost consideration given to practical usage and security.

   2) Determination of permission or assigning rights to access Personal Data.

   3) User access management to control access to Personal Data only for an authorized person.

   4) Determining the user’s responsibilities to prevent unauthorized access to Personal Data, disclosure, foreshadowing or illegal copying of Personal Data, theft of Personal Data storage or processing tools; and

   5) Providing means to enable retrospective review of access, change, deletion or transfer of Personal Data in consistent with the methods and mediums used for collecting, using, or disclosing Personal Data.

10 Improvement or Revision of Privacy Policy

   This Privacy Policy is intended to provide you with details and methods for protecting your Personal Data. The Hospital may, from time to time, improve or amend this Privacy Policy in whole or in part in order to comply with changing legal guidelines. Therefore, you are encouraged to keep up to date with this Privacy Policy.

11 Contact Information

   If you wish to contact or have any questions or would like to inquire the details of the processing of Personal Data including your right as the subject of Personal Data in accordance with this policy or have a reasonable reason to believe that your Personal Data is misused, you can contact the Hospital through following channels: