Policy Notice

BNH Medical Centre Co., Ltd. is committed to protecting your personal information as a recipient of medical services, including treatment and related services provided by the company. Your personal information will be protected under the Personal Data Protection Act B.E. 2562. As a personal data controller, the company has a legal duty to notify you through this document about the reasons and methods for collecting, using, or disclosing your personal data, as well as informing you of your rights as a data subject.

Purpose

The company processes your personal data within the scope defined by the Personal Data Protection Act B.E. 2562 and processes data only to the extent necessary for such operations. The company has summarized the use of your personal data and explained the lawful basis of processing as follows:

 

  Purpose Types of Data Lawful Basis of Processing
1.

For the purpose of medical treatment and healthcare services

1.1. Providing medical services at the company’s facilities

The company’s medical team, including doctors, nurses, and other healthcare staff, will record your personal data and may consult with other medical professionals. Photographs or video recordings may be taken for monitoring and treating your condition. These will only be performed with your understanding and consent after a clear explanation is provided, and you will have an opportunity to ask questions.

1.2. Providing medical services that require data sharing within a network of healthcare facilities

To enhance your healthcare services, your personal data may be disclosed to other network facilities when necessary, subject to an agreement to protect your data from unauthorized processing or unlawful use.

1.3 Transferring patients between healthcare facilities (Refer)

In cases where a transfer request is made to or from another facility, the company will use your personal data solely for the purpose of facilitating such transfers, following established standards.

– Identifiable data

– Contact information

– Health data

– Financial data

 

1. Necessary for compliance with a healthcare agreement you have with the company (Section 24(3))

2. For sensitive personal data: Necessary for medical diagnosis and treatment under relevant laws such as the Medical Establishments Act B.E. 2541 and the Medical Profession Act B.E. 2525 (Section 26(5)(a))

3. For sensitive personal data: Necessary to prevent or suppress harm to life, body, or health when the data subject is unable to give consent, e.g., in emergencies or patient transfers (Section 26(1))

 
2.

For research and analysis to improve healthcare quality without identifying individuals

The company may use your data in aggregated reports without identifying you to analyze and improve healthcare quality while ensuring confidentiality.

 Statistical data For the company’s legitimate interests (Section 24(5)) in statistical analysis to enhance organizational efficiency without using identifiable personal data.
3.

Disclosure to insurance companies for claims or medical expenses

The company may disclose your data to an insurance company as required under your or the company’s agreement with the insurer, strictly for claim processing or reimbursement purposes.

– Identifiable data

– Contact information

– Health data

 Explicit consent from you for sensitive health data to be shared for claim processing or reimbursement (Section 26).
4.

Disclosure to referrers or payers upon your consent

If an organization (public or private) referred you for treatment or pays for your treatment, the company will only share sensitive personal data with such entities upon your explicit consent.

– Identifiable data

– Contact information

– Health data

 Explicit consent from you (Section 26).
5.

Electronic health record linking among network facilities

With your consent, your data may be included in a networked information system to facilitate consultations, manage data, and provide comprehensive services through connected electronic health records.

– Identifiable data

– Contact information

– Health data

Explicit consent for sharing health data among network facilities (Section 26).

 
6. For the company’s marketing purposes

The company may use your health data to analyze your health condition and communicate promotional offers or services with your explicit consent.

 – Identifiable data

– Contact information

– Marketing and subscription data

 The company will only proceed with your consent for using health data for marketing purposes (Section 26).

 

Besides the stated purposes, the company will not use your personal data for other purposes unless permitted by the Personal Data Protection Act B.E. 2562, such as:

  • With your consent (Section 24) or explicit consent for sensitive data (Section 26)
  • For research or statistical purposes with appropriate safeguards (Section 24(1))
  • To prevent harm to life, body, or health (Section 24(2))
  • To comply with a contract with you (Section 24(3))
  • For public interest tasks (Section 24(4))
  • For legitimate interests not overriding fundamental rights (Section 24(5))
  • For legal compliance (Section 24(6))
  • To prevent harm when explicit consent cannot be obtained (Section 26(1))
  • For legal claims (Section 26(4))
  • For public health or social protection with safeguards (Section 26(5)(b))
  • For labor law compliance, healthcare benefits, or social insurance (Section 26(5)(c))

Scope

Definitions

“Personal Data” means any data that identifies a person, directly or indirectly, excluding data of deceased individuals.

“Sensitive Personal Data” refers to data about race, ethnicity, political opinions, religious beliefs, health, genetics, biometrics, or other similar sensitive information.

“Medical Data” refers to:

  • Date of medical service
  • Drug allergies and side effects
  • Diagnoses, procedures, and surgeries
  • Lab results and radiology reports
  • Prescriptions and treatment recommendations

“Processing” means collecting, using, or disclosing data.

“Data Controller” refers to a person or entity deciding on data processing methods.

“Data Processor” refers to a person or entity processing data on behalf of a data controller.

“BDMS Group” refers to Bangkok Dusit Medical Services Public Company Limited and its affiliates.

“BNH Medical Centre and Samitivej Group” refers to BNH Medical Centre Co., Ltd., Samitivej Public Company Limited, and their affiliates.

“Network Facilities” refer to healthcare facilities affiliated with BNH Medical Centre, Samitivej Group, and BDMS Group.

 

Responsibilities

Guidelines

1. Personal Data Collected

Data collected is categorized as:

Type of Personal Data Details
1. Identifiable Data e.g., name, ID card number, passport, photo, gender, birth date
2. Contact Information e.g., address, phone number, email
3. Financial Data e.g., billing, credit/debit card details
4. Marketing Data e.g., data for subscriptions and marketing activities
5. Statistical Data e.g., non-identifiable website visits
6. Technical Data e.g., IP address, browser type, cookies
7. Health Data e.g., medical records, diagnostics, treatment data

 

2. Sources of Personal Data

The company collects personal data from:

  1. Direct sources, such as services registration or inquiries

1.1 Medical service recipients

1.2 Service providers (vendors)

  1. Indirect sources, such as referrals or third parties

2.1 Relatives

2.2 Authorized representatives

2.3 Network healthcare facilities

2.4 Payers or referrers

 

3. Disclosure or Sharing of Personal Data

The company will not disclose your personal data to external parties except as permitted by law or as necessary for operations. Data may be disclosed under the following circumstances:

  1. To government agencies, authorities, or any person as required by law, including compliance with court orders
  2. To individuals or entities necessary for contractual performance or your benefit as the data subject. The company ensures that these parties maintain confidentiality and protect your personal data according to the Personal Data Protection Act B.E. 2562, including but not limited to the following:
  • Network healthcare facilities under BNH, Samitivej Group, or BDMS Group for medical treatment and healthcare services
  • Insurance companies or their claim management service providers
  • Healthcare facilities involved in patient transfers
  • Referrers or entities paying for your treatment
  • Data processors, such as laboratory services, IT service providers, payment processors, or technology outsourcing companies
  1. To cloud computing providers for data storage and processing, either in Thailand or abroad. The company ensures agreements with such providers include measures to safeguard personal data.

4. Retention Period for Personal Data

  1. The company follows the retention period standards for medical records under the Medical Establishments Act B.E. 2541, keeping records for a minimum of 5 years and a maximum of 10 years from the last treatment date. After 10 years, all records will be destroyed, including hard copies, copies, and electronic records.
  2. In cases of legal obligations, court orders, or to establish legal claims, data may be retained as required by the statute of limitations or until disputes are resolved.

5. Measures for Data Retention and Processing

  1. The company employs measures at least as stringent as legal standards to safeguard personal data, including the use of Secure Sockets Layer (SSL) protocols, firewalls, passwords, and other technical measures for encryption and restricted access.
  2. Access to personal data is limited to authorized personnel, agents, partners, or external parties strictly as necessary, with confidentiality agreements in place.
  3. Technological methods are used to prevent unauthorized access to data systems.
  4. The company has systems in place to destroy unnecessary personal data securely.
  5. For sensitive personal data, additional measures include access control, backup systems, emergency plans, and regular risk assessments.

6. Transfer of Personal Data Abroad

  1. In certain cases, the company may need to transfer personal data abroad. Such transfers will be conducted after notifying you of the purpose and obtaining your consent. The company will inform you if the destination country has insufficient data protection standards.
  2. Transfers may occur without consent if necessary to perform a contract to which you are a party, to comply with your request before entering a contract, or as permitted under the Personal Data Protection Act B.E. 2562.

7. Cookie Policy

When visiting the company’s website, cookies are used to ensure the best experience. Cookies are small files stored on your device via your web browser to collect and save information.

The company uses cookies to recognize your visits and preferences, improving the website to suit your needs and provide faster navigation. Third-party services may analyze and process data, such as IP addresses and cookies, for marketing purposes. You can manage cookie settings on the website to allow or block analysis and data processing.

 

8. Rights of Data Subjects

As a data subject, you have the following rights under the law:

  1. Right to Withdraw Consent: You can withdraw consent for data processing at any time as long as your data is held by the company.
  2. Right of Access: You can access your personal data, request copies, and ask for disclosure of how data was obtained without your consent.
  3. Right to Rectification: You can request corrections to inaccurate data or add incomplete data.
  4. Right to Erasure: You can request the deletion of your data for specific reasons.
  5. Right to Restriction of Processing: You can request a suspension of data processing under certain conditions.
  6. Right to Data Portability: You can request the transfer of your personal data to another controller or yourself.
  7. Right to Object: You can object to data processing for certain reasons.

You can contact the Data Protection Officer (DPO) or the company’s personal data protection department to exercise your rights at:

Email: [email protected]
Address: 9/1 Convent Road, Silom Subdistrict, Bangrak District, Bangkok 10500
Phone: +66–2022–0700

 

9. Changes to the Privacy Policy

The company may revise and update this privacy policy in the future to enhance data protection. Any changes will be communicated to you.

 

10. Contact Information

You can contact the data controller for inquiries or to exercise your rights concerning personal data at:

Email: [email protected]
Address: 9/1 Convent Road, Silom Subdistrict, Bangrak District, Bangkok 10500
Phone: +66–2022–0700

Last updated: May 30, 2022

Facebook Line Envelope
+662 022 0700

BNH Medical Centre Ltd.

9/1 Convent Road, Silom,

Bang Rak, Bangkok 10500

Service

Articles

Hospital Infomation

Policy

PDPA Icon

We use cookies to improve performance. and good experience in using your website You can study the details at Cookies policy and you can change your cookie settings by clicking Cookie settings

Settings Accept
Privacy Preferences

You can choose your cookie setting by turn on / turn off except for necessary cookie.

Accept All
Manage Consent Preferences
  • Strictly Necessary cookies
    Always Active

    Are very essential to our website as these allow the web servers to respond to your actions, support the structure of the page being displayed to you as well as provide the consistency of experience during your journey of surfing our website. These cookies will last only till the end of your visit and will be deleted automatically since then.
    See list of strictly necessary cookies

  • Analytical / Performance cookies

    Allow us to monitor the performance of our websites by determining the number of page views and the number of unique users a website has. Web analytics services are performed so as to analyse patterns of user behaviour and we use that information to enhance user experience or identify areas of the website which may require improvement. Nonetheless, the information is anonymous (i.e. it cannot be used to identify you and does not contain personal information such as your name and email address) and it is only used for statistical purposes.
    See list of analytic / performance cookies

  • Functional cookies

    Help us to recognise when you revisit our website. With this information, thereby we can customise our website based on your preferences, provide enhanced, more personal features to facilitate your visit. Such information collected by these cookies is usually anonymised, hence we cannot identify you personally.
    See list of functional cookies

  • Behavioural Advertising / Targeting cookies

    Will be placed on your device to record your visit, the page and the link you have visited and followed. The gained information will be used to tailor our website and our advertising campaign to suit your interests.
    See list of marketing cookies

Save
Privacy Preferences