Bangkok Hospital Ratchasima Co., Ltd. (hereinafter referred to as “the company”) is committed to protect your personal data as a patient who undergoes investigations, treatments and medical services including other services provided by the company. Your personal data is to be protected in compliance with the Personal Data Protection Act B.E. 2562. The company as a controller of such personal data is responsible by law for notifying you of this document for reasons and methodology the company collects, uses, or discloses your personal data including for informing you your rights as an owner of such personal data.
Objectives
The company processes your personal data under a scope as defined by the Personal Data Protection Act B.E. 2562 and processes the data only as necessary for aforementioned action. The company concludes the use of your personal data as well as explains Lawful Basis of Processing for the data as below details:
| Purpose | Type of Data | Lawful Basis of Processing | |
| 1. |
For a purpose of investigation and providing medical services 1.1. Providing medical services within healthcare providers of the company. The company’s teams of physicians, nurses and/or other staff in health teams will record your personal data and take such information for consultation with physicians or medical staff including taking imaging and video for further follow up and/or any actions according to relevant professional principles throughout the period you are receiving the services. The company explains detailed information for your understanding prior to providing any services and also gives you an opportunity to ask questions until you are fully satisfied. 1.2. Providing medical services if necessary to link data among network healthcare providers. For benefits in providing medical services, the company’s team of physicians, nurses and/or other relevant staff may disclose your personal data to network of healthcare providers when it is necessary to use the data between the network of healthcare providers to provide certain medical services. The company establishes measures to protect personal data by mutual agreements among the network of healthcare providers to prevent unlawful processing of personal data or without authority. 1.3 For referral between healthcare providers. In case, the company requests or receives a request to refer patient from one provider to another provider or to refer patient to the company’s provider for continuation of cares according to referral standard as set by the company and the company will use personal data only for the referral purposes not for other purposes. |
– Identified data – Contact data – Health data – Financial data
|
|
| 2. |
For the purpose of analysis study to develop quality of treatments by unidentified personal data owner. The company may use your personal data for analysis study to develop quality of treatments in an inclusive report format with unidentified owners of personal data and the company strictly maintains confidentiality of such data. |
Statistical data | For the legitimate interest of the company in analyzing statistical data without using personal identified information to develop and enhance the organization’s efficiency in medical treatment and other services. (Section 24 (5)). |
| 3. |
Disclose of the data to insurance companies or contractors for the purpose of exercising the right to claim compensation from insurance companies or to reimburse medical claims. The company is required to disclose your personal data to insurance companies to comply with a contract that you or the company have made with the insurance companies for claim compensation or medical reimbursement. Indeed, the company will not disclose your personal data to irrelevant parties. |
– Identified data – Contact data – Health data
|
Upon receiving your intended consent, your personal medical data will be disclosed to insurance companies for the benefit to claim compensation or to reimburse medical claims (Section. 26). |
| 4. |
Disclosure of the data to the agency or entity who referred you for examination or is responsible for payment, upon your consent to disclose personal data. In case of agency of either government, private sector or state enterprise refers you to the company for treatments or being a payer for your medical expenses, the company will disclose your health data which is a sensitive personal data to the agency only when you have given consent to disclose your data to the agency, otherwise, the company will directly send you the medical reports instead. |
– Identified data – Contact data – Health data
|
Once receiving your intended consent to disclose your personal data (Section 26). |
| 5. |
For the purpose of linking electronic database of medical records among healthcare providers via mobile application.
|
– Identified data – Contact data – Health data
|
Once receiving your intended consent to disclose your medical personal data among healthcare providers (Section. 26). |
| 6. |
For marketing purposes. The company may collect, use and process personal data to analyze your health conditions, communicate, provide medical information, and offer promotions, products and services according to your consent. |
– Identified data – Contact data – Data of subscribing and participating in marketing activities |
The company will proceed with these activities after receiving your consent to the company to use your health data for marketing purposes (Section. 26) |
| 7. |
In order to operate in compliance with the contract agreement as a service provider to the company or to proceed with your request for entering into the contract with the company. The company will process your personal date as you are a service provider to the company for the following operations such as:
|
|
It is necessary in compliance with the contract agreement as a service provider to the company or to proceed with your request for entering into the contract with the company (Section.24(3)). |
Apart from aforementioned purposes, the company will not use your personal data for other purposes unless the Personal Data Protection Act B.E. 2562 permits such as:
- Upon receipt of your consent (Section. 24) or receipt of intended consent in case of using sensitive personal data (Section. 26).
- For analysis study or statistic which establishes appropriate protection measures to protect personal data, rights and liberty of personal data owner (Section. 24(1)).
- To prevent and suppress threatening to life, body or health (Section. 24(2)).
- To comply with a contract agreement between the company and you (Section. 24 (3)).
- To perform duties according to the company’s mission for public interests (Section. 24 (4)).
- For legitimate interest of the company or person or other juristic person except the aforementioned interest is less important than fundamental rights of personal data owner (Section. 24(5)).
- For legal compliance of the company (Section. 24 (6))
- To prevent and suppress threatening to life, body or health in case of using sensitive personal data when the data owner cannot give self-consent regardless of any causes (Section. 26 (1)).
- For establishment rights for legal claims (Section. 26 (4)).
- For public health interests or other social protection as the company establishes appropriate measures to protect fundamental rights and benefits of personal data owner (Section. 26 (5) (B)).
Definition
“Personal Data” includes information related to an individual that can be identifiable either directly or indirectly excluding the information of the decreased particularly
“Sensitive Personal Data” includes individual data related to race, ethnicity, political opinion, beliefs, religion or philosophy, sexual behavior, criminal records, health information, disability, trade union information, genetic data, biological data (such as facial image data, iris simulation data, fingerprint replica) or any other information that affects the owner of personal data in a similar manner as defined by committee of personal data protection
“Health data” includes the following data
- Day, month, year of receiving medical treatment
- History of drug allergy and history of drug side effects
- History of food allergy
- Diagnostic disease, procedure name, surgery name
- Blood result, laboratory result, pathological result, radiological images, and radiological report
- List of prescribed medication
- Other information such as symptoms, physician recommendation, diagnostic details
“Process” includes collect, gather, use or disclose
“Personal Data Controller” includes an individual or juristic person who has authority in decision making about collection, gathering, use or disclose of personal data
“Personal Data Processor includes individual or juristic person who perform collection, gathering, use or disclose of personal data according to orders or on behalf of a personal data controller, in addition, the individual or juristic person performing actions as above must not be a personal data controller.
“Bangkok Dusit Medical Services Group” includes companies in BDMS network are currently existing or will be in the future, regardless it may be registered in Thailand or overseas, including Bangkok Dusit Medical Services Company limited
“Network health provider” includes health providers in a group or network of BDMS operating both in Thailand and overseas.
Personal data BDMS collects from you
Your personal data collected by BDMS can be classified as followings
| Type of Personal data | Details |
| 1. Personal data | Such as name, surname, ID card number, face image, gender, date of birth, passport number or other identifiable numbers |
| 2. Contact data | Such as address, telephone number, e-mail address |
| 3. Financial data | Such as billing information, credit or debit information, receipt information, invoice information |
| 4. Marketing Data | Such as registration information used for subscribe and marketing participation |
| 5. Statistical Data | Such as unidentified data, number of patients, and number of website visits. |
| 5. Technical data | Such as computer IP address, type of browser, Cookies information, time zone setting, operating system, platform and technology of devices used for accessing website and Online Appointment System. |
| 6. Health data | Such as treatment information, reports on physical or mental health condition, health care instructions, laboratory test results, diagnosis, name of diagnosed diseases, drug use and drug allergy information, history of food allergy, blood test results, laboratory examination result, pathological result, radiological images and report, list of prescribed medications, necessary information for medical services, feedback and treatment information. |
Sources of Personal Data
BDMS collects and gathers your personal data from the following sources
- Personal data directly collected from you such as
- In case you are receiving investigation and treatment, the company receives your personal data from your contact with the company inquiries about services or self-registration for medical services and other services from the company, including registration information via electronic media.
- Personal data is collected from you indirectly such as:
- Persons who are close to you such as relatives, spouse etc.
- Persons you have given authority to act on your behalf in contacting with the hospital.
- Network of healthcare providers, in case you already had given consent to the network of healthcare provider to disclose your personal data.
- A person, juristic person, or agency of any government, private sector, or state enterprise who refers you to the company for medical services or pay for your service expenses.
Disclose or share of personal data
The company will not disclose your personal data to outsiders except when permitted by law for operational necessity. Therefore, the company may disclose your personal data for the following situations:
- Disclose personal data to government agency, authority agency or any person when laws define or authorize, including complying with court orders
- Disclose of personal data to individual or juristic person that the company is required to comply with contract agreement for your benefits as a personal data owner. The company must ensure those individual or juristic person maintain confidentiality and protect your personal data in accordance with the standards as defined by the Personal Data Protection Act B.E. 2562, including but not limited to individual or juristic persons as listed below:
- Network of healthcare providers and BDMS group as necessary for providing diagnosis investigation and medical services to you. The company will disclose personal data only necessary and will maintain confidentiality of your personal data in accordance with the company’s obligation under relevant laws such as the Health Facility Act B.E. 2541, the National Health Act B.E. 2550 and the Medical Profession Act B.E. 2525
- Insurance companies or assistance companies managing compensation on their behalf.
- Healthcare provider receiving patient referral.
- An individual who refers you for diagnostic investigation or services at a health provider or paying service expenses on your behalf.
- Personal data processor necessary for the company’s operation such as contractor, or laboratory service provider, database management, telecommunication, computer system, payment, or technology service provider (Technology Outsource).
- The company may store personal data in data processing system (Cloud Computing) by using such services from the third party whether located in Thailand or overseas. The company has entered into a contract with aforementioned parties very thoroughly and has considered the security system in maintaining personal data provided by the Cloud Computing service provider for the protection of personal data.
Duration of Personal Data Retention
- The company follows the standards of duration for retention of medical records in accordance with the Health Facilities Act B.E. 2541 and the latest amendments. The company will retain medical records in its system for a minimum of 5 years from the date that the company created the records. For medical benefits, the records will be kept until you have not contacted the company for more than 10 years from the latest medical visit. Once completion of that 10-year duration, all original medical records, copies, and electronic medical records will be destroyed.
- In case, the company must comply with laws, regulations of other professional councils, court order or establish rights for legal claims to enter into dispute resolution processes, the company may maintain such personal data for the duration of the statutory retention period as required by the law or regulation or until the dispute is finally resolved, whichever is applicable.
Measures of Personal Data Retention and Processing
- The company will manage the retention of personal data with standards not less than it is required by law and with appropriate system to protect and secure personal data such as the use of Secure Sockets Layer: SSL, firewall protection, password, and other technology measures for encryption of information via the internet, and store in a facility with access protection system that limits the access to a document format of personal data.
- The company limits access to personal data which is accessible by staff, agent, partner, or third party. Access to personal data by the third party can be done only as assigned or directed. Also, the third party is responsible for maintaining confidentiality and protecting personal data.
- The company establishes technological methods to prevent unauthorized access to the computer system.
- The company has an inspection system to manage the destruction of unnecessary personal data for the company’s operation.
- In case of sensitive personal data, the company implements measures to ensure the security of documentation and electronic data for accessing and controlling of the usage, provides operating and backup system with emergency plan, and regularly conducts risk assessment of the system.
Overseas Transfer of Personal Data
- In some cases, the company may need to transfer your personal data to overseas. The company may perform the transfer after notifying objectives of the transfer and receiving your consent. The company may inform you about insufficient standards of personal data protection of the destination country.
- The company can transfer your personal data without your consent when the transfer of personal data to overseas is to comply with a contract you are in as the contract’s partner, or to protect or suppress any threatening to life, body or health of personal data owner, or for the use according to your request prior to entering into that contract, or according to requirements in the Personal Data Protection Act B.E. 2562.
Cookie Policy
When you visit our website, the company uses cookies to ensure you will receive good experience from using the company’s website. Cookie is a small file that stores information and records it on to computer devices or communication tools when you access via web browser you choose while visiting the website.
The company uses cookies to collect identity of your website visiting. With the identity, the company is able to easily recognize the pattern of your website visits, and such data will be used for development of the company website to meet your needs. For convenience and speed of using the website, the company occasionally may authorize a third party for this operation which may require an Internet Protocol (IP address) and cookies for analysis, link, and process data for marketing purposes. You can set cookies while entering the company’s website to allow or not allow cookies to perform analysis, link, and process data for marketing purposes.
Rights of Personal Data Owner
As a personal data owner, you have rights to request the company to process your personal data according to the scopes allowed by laws as below:
- Right to withdraw consent: you have the right to withdraw your consent for personal data processing as you have previously provided to the company anytime during the period your personal data stored with the company.
- Right of access: you have the right to access your personal data and request the company for a copy of aforementioned personal data, including request the company to disclose the acquisition of your personal data that you did not give consent.
- Right to rectification: you have the right to request the company to correct any incorrect data or add any incomplete data.
- Right to erasure: you have the right to request the company to erase your data for certain reasons.
- Right to restriction of processing: you have the right to request the company to withhold the use of your personal data for certain reasons.
- Right to data portability: you have the right to transfer your personal data maintained by the company to other data controllers or yourself for certain reasons.
- Right to object: you have the right to object to the processing of your personal data for certain reasons.
Change of Personal Data Protection Policy
The company may review and change the personal data protection policy in the future to improve the protection of personal data. The company will notify you when the aforementioned policy has changed.
Contact Channels
You can contact Data Protection Officer for inquiry or exercise your rights related to personal data at the following channels:
- Email: [email protected]
- Address: 1308/9 Mitraparp Rd., Muang District, Nakhonratchasima 30000
- Other Hospital contacts such as Telephone number 044 015 999