PRIVACY NOTICE

Policy Framework

Samitivej Public Company Limited (the “Company”) is committed to protecting your personal information as a recipient of medical services, including treatment and related services provided by the Company. Your personal information will be protected under the Personal Data Protection Act B.E. 2562. As a personal data controller, the Company has a legal duty to notify you through this document about the reasons and methods for collecting, using, or disclosing your personal data, as well as informing you of your rights as a data subject.

Purpose

The Company processes your personal data within the scope defined by the Personal Data Protection Act B.E. 2562 and processes data only to the extent necessary for such operations. The Company has summarized the use of your personal data and explained the lawful basis of processing as follows:

	Purpose	Types of Data	Lawful Basis of Processing
1.	For the purpose of medical treatment and healthcare services 1.1. Providing medical services at the Company’s facilities The Company’s medical team, including doctors, nurses, and other healthcare staff, will record your personal dataand may consult with other medical professionals. Photographs or video recordings may be taken for monitoring and performing any other professional medical procedures as appropriate during your course of care. These will only be performed with your understanding and consent after a clear explanation is provided, and you will have an opportunity to ask questions. 1.2. Providing medical services that require data sharing within a network of healthcare facilities To enhance your healthcare services, your personal data may be disclosed to other network facilities when necessary. The Company has implemented data protection measures and entered into mutual agreements with network facilities to protect your data from unauthorized processing or unlawful use. 1.3 Transferring patients between healthcare facilities (Refer) In cases where a transfer request is made to or from another facility, the Company will use your personal data solely for the purpose of facilitating such transfers, following established standards.	– Identification data – Contact information – Health data – Financial data	1. Necessary for compliance with a healthcare agreement you have with the Company (Section 24(3)) 2. For sensitive personal data: Necessary for medical diagnosis and treatment under relevant laws such as the Medical Establishments Act B.E. 2541 and the Medical Profession Act B.E. 2525 (Section 26(5)(a)) 3. For sensitive personal data: Necessary to prevent or suppress harm to life, body, or health when the data subject is unable to give consent, e.g., in emergency care or patient transfers (Section 26(1))
2.	For research and analysis to improve healthcare quality without identifying individuals The Company may use your personal data in aggregated reports without identifying you to analyze and improve healthcare quality while ensuring confidentiality.	Statistical data	For the Company’s legitimate interests (Section 24(5)) in conducting statistical analysis to enhance organizational efficiency without using personally identifiable data.
3.	Disclosure to insurance companies for claims or medical expenses The Company may disclose your personal data to an insurance company as required under your or the Company’s agreement with the insurer, strictly for claim processing or reimbursement purposes. The Company will not disclose your personal data to any unrelated third parties.	– Identification data – Contact information – Health data	Explicit consent from you for sensitive health data to be shared for claim processing or reimbursement (Section 26).
4.	Disclosure to referrers or payers upon your consent If an organization (public or private) referred you for treatment or pays for your treatment, the Company will disclose your sensitive personal data related to your medical treatment to such entities only upon your explicit consent. If you do not provide such consent, the Company will deliver the medical examination results directly to you.	– Identification data – Contact information – Health data	Explicit consent from you (Section 26).
5.	Electronic health record linking among network facilities With your consent, your personal data may be included in a networked information system to facilitate  your access to healthcare services, enable you to manage your data through the application, and provide comprehensive services through connected electronic health records. The Company has entered into agreements with network facilities to ensure the protection of your personal data in compliance with the Personal Data Protection Act B.E. 2562 (2019).	– Identification data – Contact information – Health data	Explicit consent for sharing health data among network facilities (Section 26).
6.	Fo providing services via Well by Samitivej Application The Company may collect, use, and process your personal data to provide services through Well by Samitivej Application, in accordance with the purposes of such services. This includes generating a personal password for accessing services in Corporate Mode, as well as analyzing, managing, and linking your health check-up information with Well by Samitivej Application database.	Identification data	For the Company’s legitimate interests (Section 24(5)) in providing services through Well by Samitivej Application, in accordance with the purposes of such services.
7.	For facilitating services within the Well by Samitivej Application The Company may collect, use, and process your location data to facilitate various services under the Well by Samitivej Application. This includes measuring distances in exercise activities and health assessments, identifying your location to recommend nearby healthcare facilities and services, and providing location-based content and promotions.	Location data	Explicit consent for accessing and using your location data for facilitating various services under the Well by Samitivej Application. (Section 26)
8.	For the company’s marketing purposes The Company may collect, use, and process your health data to analyze your health condition, communicate medical information, and provide promotional offers or services with your explicit consent.	– Identification data – Contact information – Marketing and subscription data	The Company will only proceed with your consent for collecting, using, and processing your health data for marketing purposes (Section 26).

 

Besides the stated purposes, the Company will not use your personal data for other purposes unless permitted by the Personal Data Protection Act B.E. 2562, such as:

• With your consent (Section 24) or explicit consent for sensitive personal data (Section 26)
• For research or statistical purposes with appropriate safeguards to protect the rights and freedoms of data subjects (Section 24(1))
• To prevent harm to life, body, or health (Section 24(2))
• To perform a contract that the Company entered into with you (Section 24(3))
• For public interest tasks (Section 24(4))
• For the legitimate interests of the Company or other individuals/entities, unless such interests are overridden by the fundamental rights of the data subject (Section 24(5))
• For legal compliance (Section 24(6))
• To prevent harm when explicit consent cannot be obtained for sensitive personal data (Section 26(1))
• For establishing legal claims (Section 26(4))
• For public health or social protection with appropriate safeguards (Section 26(5)(b))
• For labor law compliance, healthcare benefits, or social insurance (Section 26(5)(c))

Scope

Definitions

“Personal Data” means any data that identifies a person, directly or indirectly, excluding data of deceased individuals.

“Sensitive Personal Data”  means personal data relating to race, ethnicity, political opinions, beliefs in cults, religions or philosophies, sexual behavior, criminal history, health data, disabilities, trade union data, genetic data, biometric data (such as facial recognition data, iris recognition data, fingerprint recognition data), or any other data that similarly affects the data subject as determined and announced by the Personal Data Protection Committee.

“Medical Data” refers to:

• Date of medical service
• Drug allergies and side effects
• Food allergies
• Diagnoses, medical procedures, and surgeries
• Laboratory test results, pathology reports, radiology images, and radiology reports
• Prescriptions issued by a physician
• Other relevant medical information, such as symptoms, physician’s recommendations, and diagnostic details

“Processing” means collecting, using, or disclosing personal data.

“Data Controller” means a person or juristic person who has the power to make decisions regarding the collection, use, or disclosure of personal data.

“Data Processor” means a person or juristic person who conducts operations related to the collection, use, or disclosure of personal data under the instruction or on behalf of a data controller, provided that such person or juristic person is not a data controller.

“BDMS Group” means companies within the network of Bangkok Dusit Medical Services Public Company Limited, both existing currently and those to be established in the future, whether registered in Thailand or abroad, including Bangkok Dusit Medical Services Public Company Limited.

“Samitivej Group” means companies within the network of Samitivej Public Company Limited, both existing currently and those to be established in the future, whether registered in Thailand or abroad, including Samitivej Public Company Limited.

“Network Facilities” means hospitals within the group or network of Samitivej Public Company Limited and Bangkok Dusit Medical Services Public Company Limited, both operating in Thailand and abroad.

 

Responsibilities

Guidelines

1. Personal Data Collected

Data collected is categorized as:

Type of Personal Data	Details
1. Identification Data	e.g., name, ID card number, passport, photo, gender, birth date, or other identification numbers
2. Contact Information	e.g., address, phone number, email
3. Financial Data	e.g., billing, credit/debit card details, receipts, invoices
4. Marketing Data	e.g., data used for subscriptions and participation in marketing activities
5. Statistical Data	e.g., aggregated or anonymized data, number of patients, website visits
6. Technical Data	e.g., IP address, browser type, cookies data, time zone settings, operating systems, platforms, and technology of devices used to access websites and Online Appointment Systems.
7. Health Data	e.g., Medical Data, reports related to physical and mental health, healthcare for service recipients, health measurements obtained from various wearable electronic devices and devices that acquire health values (Internet of Medical Things), health risk assessments based on such health measurement data, laboratory test results, diagnoses, names of diagnosed diseases, information related to medication use and drug allergies, food allergy history, blood results, laboratory test results, pathological tissue examination results, radiological images and radiological examination reports, medications prescribed by doctors, data necessary for providing medical services, feedback data, and treatment outcomes.
8. Location Data	e.g., geographic coordinates (GPS), country, province, district/sub-district, and approximate location obtained from mobile devices, wearable electronic devices, and Internet of Medical Things devices.

 

2. Sources of Personal Data

The Company collects personal data from:

(1)            Direct sources, such as services registration or inquiries

(1.1)        In cases where you are a patient receiving examination and treatment services: The Company obtains your personal data from your inquiries to the Company regarding services, or from your registration for medical services and other services with the Company, either in person at the Company's premises, or through electronic media.

(1.2)        In cases where you are a service provider (Vendor) to the Company: The Company obtains your personal data from your inquiries to the Company to provide services to the Company, or from the Company's collection of your personal data in your capacity as a service provider entering into contracts with the Company.

(2)            Personal data received indirectly includes:

(2.1)        Persons close to you, such as relatives, spouses, etc.

(2.2)        Persons whom you have authorized to act on your behalf in contacting the hospital

(2.3)        Network Facilities in cases where you have given consent for the disclosure of your personal data

(2.4)        Persons, juristic persons, or agencies whether public, private, or state enterprises that refer you for examination, treatment, or other services with the Company, or who pay for services on your behalf

(2.5)        Persons, juristic persons, or agencies that collect your personal data, including health data, under legal grounds and have the lawful right to disclose such personal data, including health data, to the Company.

 

3. Disclosure or Sharing of Personal Data

The Company will not disclose your personal data to external parties except as permitted by law or as necessary for operations. Personal data may be disclosed under the following circumstances:

(1)            To government agencies, authorities, or any person as required by law, including compliance with court orders

(2)            To individuals or entities necessary for contractual performance or for your benefit as the data subject. The Company ensures that these parties maintain confidentiality and protect your personal data according to the Personal Data Protection Act B.E. 2562. Such parties include, but not limited to the following:

·       Network Facilities in Samitivej Group and Bangkok Dusit Medical Services Group, to the extent necessary for providing examination, treatment, and medical services to you. The Company will disclose only the personal data that is necessary, and the Company will maintain confidentiality of your personal data in accordance with the Company's obligations under relevant laws, such as the Medical Establishments Act B.E. 2541, the National Health Act B.E. 2550, and the Medical Profession Act B.E. 2525.

·       Insurance companies or their claim management service providers

·       Healthcare facilities involved in patient transfers

·       Referrers or entities paying for your treatment

·       Data processors, such as laboratory services, IT service providers, payment processors, or technology outsourcing companies

(3)            To cloud computing providers for data storage and processing, either in Thailand or abroad. The Company ensures that agreements with such providers include measures to safeguard personal data.

4. Retention Period for Personal Data

(1)                        The Company follows the retention period standards for medical records under the Medical Establishments Act B.E. 2541 (as amended). Medical records are retained for a minimum of 5 years and a maximum of 10 years from the last treatment date. After 10 years, all records will be destroyed, including hard copies, copies, and electronic records.

(2)                        In cases of legal obligations, court orders, or to establish legal claims, data may be retained as required by the statute of limitations or until disputes are fully resolved.

5. Measures for Data Retention and Processing

(1)                        The Company employs measures at least as stringent as legal standards to safeguard personal data, including the use of Secure Sockets Layer (SSL) protocols, firewalls, passwords, and other technical measures for data encryption and secure internet transmission, as well as restricted access for physical records.

(2)                        Access to personal data is limited to authorized personnel, agents, partners, or external parties strictly as necessary, with confidentiality agreements in place.

(3)                        Technological methods are used to prevent unauthorized access to data systems.

(4)                        The Company has systems in place to destroy unnecessary personal data securely.

(5)                        For sensitive personal data, additional measures include access control, controlled usage, backup systems, emergency plans, and regular risk assessments of systems and processes.

6. Transfer of Personal Data Abroad

(1)                        In certain cases, the Company may need to transfer personal data abroad. Such transfers will be conducted after notifying you of the purpose and obtaining your consent. The Company will inform you if the destination country has insufficient data protection standards.

(2)                        Transfers may occur without consent if necessary to perform a contract to which you are a party, to comply with your request before entering a contract, or as permitted under the Personal Data Protection Act B.E. 2562.

7. Cookie Policy

When you visit our website, the Company uses cookies to ensure you have a smooth and personalized browsing experience. Cookies are small files stored on your computer or device via your web browser while visiting our website.

Cookies help the Company recognize your visits, understand how you interact with the website, and improve the website’s functionality and content to better suit your needs. In some cases, third-parties service providers may also use (Internet Protocol) IP addresses and cookies to analyze, link, and process information for statistical and marketing purposes. You can manage cookie preferences when visiting our website and choose whether to allow cookies for data analysis, linking, and marketing purposes.

8. Rights of Data Subjects

As a data subject, you have the following rights under the law:

(1)                        Right to Withdraw Consent: You can withdraw consent for data processing at any time as long as your data is held by the Company.

(2)                        Right of Access: You can access your personal data, request copies, and ask for disclosure of how data was obtained without your consent.

(3)                        Right to Rectification: You can request corrections to inaccurate data or add incomplete data.

(4)                        Right to Erasure: You can request the deletion of your data for specific reasons.

(5)                        Right to Restriction of Processing: You can request a suspension of data processing under certain conditions.

(6)                        Right to Data Portability: You can request the transfer of your personal data to another controller or yourself.

(7)                        Right to Object: You can object to data processing for certain reasons.

You can contact the Data Protection Officer (DPO) or the Company’s personal data protection department to exercise your rights at:

Samitivej Public Company Limited ; Samitivej Sukhumvit Hospital

133 Sukhumvit 49, Khlong Tan Nuea Sub-District, Watthana District, Bangkok 10110

Call Center Number: 02-0222222

Email: svh.dpo@samitivej.co.th

Samitivej Public Company Limited ; Samitivej Srinakarin Hospital

133 Sukhumvit 49, Khlong Tan Nuea Sub-District, Watthana District, Bangkok 10110

Call Center Number: 02-0222222

Email: snh.dpo@samitivej.co.th

9. Changes to the Privacy Policy

The Company may revise and update this privacy policy in the future to enhance data protection. Any changes will be communicated to you.

10. Contact Information

You can contact the data controller for inquiries or to exercise your rights concerning personal data at:

Samitivej Public Company Limited ; Samitivej Sukhumvit Hospital

133 Sukhumvit 49, Khlong Tan Nuea Sub-District, Watthana District, Bangkok 10110

Call Center Number: 02-0222222

Email: svh.dpo@samitivej.co.th

Samitivej Public Company Limited ; Samitivej Srinakarin Hospital

133 Sukhumvit 49, Khlong Tan Nuea Sub-District, Watthana District, Bangkok 10110

Call Center Number: 02-0222222

Email: snh.dpo@samitivej.co.th