Praram 9 Hospital Public Company Limited (“Company”) is committed to protecting and respecting of your privacy under the Thai Personal Data Protection Act B.E. 2562, as amended from time to time, as well as other applicable laws and rules in Thailand (collectively “the PDPA”). We intend to protect your personal information that we collect, use, or disclose during the course of our business activities, including our core services, services via website or via applications. We have the obligations as stipulated in any laws regarding the protection of personal data, privacy, or data security that are applicable and effective in Thailand. This Policy is a part of our efforts to fulfil the objective of this Policy, which is to comply with the PDPA.

Scope of the Privacy Policy

This Policy stipulates our practice concerning privacy; the purposes of collection, use, or disclosure of Personal Data; the categories of Personal Data that we may collect, use, or disclose; the intention of Personal Data use; third parties whom we may disclose Personal Data to; the collection and retention of Personal Data; how you can access or request rectification of your Personal Data that is stored by us; and how you can lodge a complaint in case of noncompliance with the applicable law on personal data protection.

Please read this Policy carefully.

Definitions

“Company” means Praram 9 Hospital Public Company Limited, including any representative of any such company.

“Affiliate” means Praram 9 Hospital Public Company Limited and any companies associated with or its subsidiaries of Praram 9 Hospital Public Company Limited, including any representative of any such company.

“Personal Data” means any information that relates, whether directly or indirectly, to an identified or identifiable person, or which can be used to distinguish or trace an individual’s identity, whether by reference to such information alone, or when combined with other identifying information.

“Sensitive Personal Data” means any information as specified in Section 26 of the Thai Personal Data Protection Act, as amended from time to time, as well as other applicable laws and rules, such as information about race, ethnicity, political opinions, religious or philosophical beliefs, sexual behavior, criminal backgrounds, health information, disability, labor union information, genetic data, biometric data, or any other information that similarly affects the data subject.

“Processing” means the collection, use, or disclosure of Personal Data.

“Personal Data Controller” means any individual or legal entity authorized to make decisions concerning the collection, use, or disclosure of Personal Data.

“Personal Data Processor” means any individual or legal entity that processes the collection, use, or disclosure of Personal Data, in accordance with instructions, or on behalf, of the Controller. Any person who performs the Processing is not considered a Controller.

This Privacy Policy applies to any “Personal Data” that is collected from, and relates to, any of the following persons: patients, healthcare professionals, employees; job applicants; former employees; the persons under the care of, or the relatives of, patients, healthcare professionals, job applicants and/or employees, whose names are given to the Company by job applicants and/or employees; representatives of employees; and any other persons whose Personal Data may be collected by us from time to time. In addition to hard copy documents, the Company may collect Personal Data from any of the websites or mobile applications made available by the Company, or from third-party channels through which you have provided your Personal Data.

1. What type of information about you do we collect?

We collect only Personal Data that is reasonably necessary for our activities. The categories of individuals whose Personal Data are collected include, but are not limited to, the following:

The patient and/or persons regarded as having any relationship to the patient(s) e.g., the patient has reached adulthood and has the ability to make decisions under the law and/or patients who are minors which require consent from a parent or legal guardian, including any relatives in the case where the patient is unconscious.

The categories of Personal Data that we may collect depend on the nature of the activities that you have with us, including your locations, and the means used to collect the Personal Data, which may include the following information:

Patients and any persons who have relationship with the patients

• Personally identifiable information, such as your name, address or contact details, gender, age, nationality, marital status, date of birth, and passport/ID Card number; identification.
• Information about your property, such as your car license number and bank account details; information about persons under your care; your travel information, such as your visa application, travel schedules, and flight information.
• Sensitive Personal Data, such as your religious belief, health-related data, health data, medication record, allergy record, follow-up diagnosis in case of routine physical examination, feedback and treatment information you provide or any other information of a similar nature, and biometric data, such as face scans and fingerprints.
• Information about your employment, such as details of your workplace.
• Information of services which you receive such as doctor’s appointment information, relatives’ personal data, requirements for rooms, meals, and other additional services.
• Information relating to benefits in order to confirm the eligibility to receive the services such as social security, health insurance, details of your other benefits.
• Subscription information and participation in marketing activities such as registration for events, seminars, follow-up calls, calling to specify and to remind the date of service appointments, marketing analysis to offer suitable products and services.
• Statistical data such as the number of patients, data for research, data for website visits including IP address, Cookies, Online Appointment System.
• Equality and diversity information (only if you give consent)
• Audio/ visual information about you, if any

Any provision of your Personal Data is voluntary. You have the option not to give any information that is requested by the Company. However, lack of such information may result in the Company’s inability to provide you with certain benefits, or the Company may not be able to perform its contractual obligations related to its services to you.

Some of the Personal Data collected by us may be considered “Sensitive Personal Data.” We intend to collect Sensitive Personal Data only upon your explicit consent, and as reasonably necessary for our business operations, or as required by law, court orders, or orders of any government agencies, or in cases where you intentionally disclose such data to the public. We intend to share Sensitive Personal Data only when we deem that it is necessary to be collected, used, or processed which the Company is not required to receive your explicit consent if the processing is for any of the following objectives:

• o prevent or suppress a danger to the life, body, or health of the data subject, when the data subject is incapable of giving consent for whatever reason.
• To carry out legitimate activities, with appropriate safeguards, of foundations, associations, or any other not-for-profit bodies with political, religious, philosophical, or trade union purposes for their members.
• The information is disclosed to the public with your explicit consent
• To establish, comply with, exercise, or defend legal claims
• It is necessary for compliance with the law to achieve purposes relating to
• preventive medicine or occupational medicine, the assessment of working capacity of the employee, medical diagnosis, the provision of health or social care, medical treatment, the management of health or social care systems and services. In the event that it is not for compliance with the law, and such Personal Data is under the responsibility of the occupational or profession practitioner or person having the duty to keep such Personal Data as confidential under the law, it must be for compliance with the contract between the data subject and the medical practitioner
• public interest in public health, such as protecting against cross-border dangerous contagious disease or epidemics which may be contagious or pestilent, or ensuring standards or quality of medicines, medicinal products or medical devices, on the basis that there is a provision of suitable and specific measures to safeguard the rights and freedom of the data subject, in particular maintaining the confidentiality of Personal Data in accordance with the duties or professional ethics
• employment protection, social security, national health security, social health welfare of the entitled person by law, the road accident victims protection, or social protection in which the collection of Personal Data is necessary for exercising the rights or carrying out the obligations of the Data Controller or the data subject, by providing the suitable measures to protect the fundamental rights and interest of the data subject
• scientific, historical, or statistical research purposes
• the substantial public interest

2. How do we collect your Personal Data?

Generally, we collect your Personal Data directly from you, such as patients registration form, job application forms or any documents provided before becoming the Company’s personnel, director, or executive; forms or systems for registration as our service provider or vendor; the Company’s channels for receipt of information or its website; oral methods, such as by phone or through video/virtual conferences; emails or other communication channels; and through mobile applications which are made available by the Company or any related company.

We do not collect Personal Data from visitors to our website, except for Personal Data provided without solicitation and technical data, as described in this privacy policy.

In some circumstances, we may collect your Personal Data from another person, whom you may or may not have a direct connection with. For example, we may collect your Personal Data from:

• Persons who have any relationship with the patient, whether they are relatives or not. who provide your information to the company
• Your employer, when your employer gives us your contact details
• Hospitals in networks, other hospitals, companies in network, business partners and allied businesses
• Any organization of which you are a member
• An employee of the group of companies, who recommends you, via telephone, email, or other communication channels
• Business partners such as insurance companies, car rental companies, hotels or other venue providers or their representatives, partners participating in the loyalty program list and benefits and other companies involved in providing services to you or fulfill the above objectives
• Thailand Securities Depository Co., Ltd., and/or banks/financial institutions
• Contractors, vendors, or service providers
• Banks, and payment service providers such as credit / debit card companies
• Officers or security and safety agencies
• Immigration agency and customs agency
• Government agencies, regulators and other agencies as permitted or required by law
• Your representatives and
• Information disclosed to the public, any mailing or marketing list that is disclosed to the public, for commercial purposes, by the private sector, any trade association, and/or any government agency, such as on a website, or online social media (such as Facebook or LinkedIn), etc.

3. What are our objectives of processing your Personal Data?

We collect Personal Data to enable us to operate our business. Such Personal Data will be used for the following objectives:

Patients and any persons who have relationship with the patients

• Provide services or deliver the services of the company. and your access to services whether online or offline
• Facilitate and present a list of benefits
• Make a doctor’s appointment, send a doctor’s appointment notification message or offer assistance from the Company, send news, recommend or offer hospital services
• Coordinate and forward information to hospitals in the network and other hospitals which will allow faster referrals
• Identify the patients
• For any other benefits related to business operations to assist the Company in its business operations, such as promotion. products and services presenting to customers or partners, customer relations for communications, answering questions or responding to complaints related to the use of the Company’s services, such as service problems, any claim or loss in order to improve and develop products or services, to organize training or conduct statistical analysis or market analysis, and conduct consumer surveys, manage information systems, test, develop and maintain systems and control measures to ensure security.
• Accounting or financial purposes, such as verifying credit card payments, issuing invoices, and validating the refunds
• Security including safety while being treated in the hospital
• Comply with the hospital’s regulations
• Comply with any laws, regulations, rules, regulations or requests from government agencies, such as complying with subpoenas. or court order or any other lawful request
• Other purposes that support the implementation of the above objectives. or with your consent from time to time

If we collect your Personal Data for any other purposes, we intend to inform you of such objectives at the time of collection.

4. In which case and how do we disclose your Personal Data to a third party?

We do not sell Personal Data, but we may share anonymized or de-identified Personal Data to third parties.

We intend to disclose Personal Data only for the original purpose for which the data was collected, or for related objectives, for our business operations or management, including when it is necessary for the provision of products or services as per your requests, assisting us in our business operations, or for security purposes, as described above.

Furthermore, sometimes we may disclose your Personal Data to third parties, for the original purpose for which data was collected, or for related objectives. For example, we may disclose your Personal Data if it is necessary for the delivery of our products or services, or for your participation in activities, as requested by you, for the Company’s business operations, for security purposes, or for compliance with the law.

We may share your Personal Data with any of the following parties:

• Our Affiliates, or any companies in the same group of companies as Praram 9 Hospital Public Company Limited
• Hospital affiliates, other hospitals, business affiliates, partnerships, and alliances
• Business partnerships, such as hospitality services or other event organizers
• Shareholders, including their executives, whether they are natural persons or legal entities, companies in the same group as the shareholders’
• Organizers, advertisers, the press, and sponsors of events or exhibitions
• Our contractors, service providers, suppliers, and other agents, who act on behalf of the Company or who are retained by the Company, such as event-related service providers, banking or financial service providers, hosting service providers, cloud application or network providers, event registration service providers, domestic and overseas tourism service providers, security service providers, auditing service providers, legal service providers, insurance service providers, marketing survey service providers, email management service providers, postal service providers, representatives and agents that sell or promote products and services on our behalf, auction service providers, each of which may not be based in Thailand, and which may be based in a country where personal data protection standards are inadequate, or sub-standard, when compared to the Thai PDPA.
• Thailand Securities Depository Co., Ltd., banks, or financial institutions, as the case may be
• Any persons to whom you agree to provide your Personal Data
• Persons engaged in the sale of the Company’s business, in whole or in part, a merger, or acquisition; and
• Any persons or government agencies, as required by the law, Court orders, or orders of any competent authorities
• Officers or security and safety agencies, immigration agency and customs agency, supervisory bodies, government agencies, private organizations, or state-owned enterprises having the duty, according to the law, to supervise the Company’s business operations, when they require the Company to disclose Personal Data

We may hire third parties to fulfil any of the above objectives, whether in whole or in part, or for the development or maintenance of our system. In such cases, we will control and put in place measures to ensure that such third parties will store and use Personal Data strictly in accordance with this policy, any data security requirements and conditions, and the personal data protection law.

5. Data Retention

To secure Personal Data, the Company has implemented the following measures:

1. The right to access, use, disclose, and process Personal Data is limited to certain individuals. The identity verification requirement, before accessing or using Personal Data, must be strictly complied with.
2. The Company has established a safe encoding method to prevent loss or unauthorized or unlawful access, destruction, use, alteration, or disclosure of Personal Data.
3. Personal Data may be transferred, including transfer for storage on a database, to an external organization or a third country only if the personal data protection measures implemented by such organization, or third country, are of equal or higher standards than the measures hereunder.
4. In cases the Company retains a third party to store the Personal Data of employees, such as document storage companies, the Company will require those companies to keep the information confidential, and prohibit any use out of the purposes determined by the Company.

We will collect, use, disclose, and retain your Personal Data throughout our legal relationship with you, such as throughout the service providing period, the hiring, the sale and purchase of our products. Upon the end of the relationship, we will retain your data, including Personal Data, only as necessary for the fulfilment of the above purposes, which in no case shall exceed 10 years from our last contact, or from the end of our relationship with you, except where it is necessary for the Company to retain your Personal Data for more than 10 years, to the extent that it is so permitted by law.

We may store Personal Data on networks of which the servers are in Thailand. However, we may transfer Personal Data to a third country, in order to achieve any of the purposes specified above. We will comply with any personal data protection law which is applicable to your Personal Data.

6. Our Website

When you visit publicly accessible pages on our website, the server of our website will keep log records, as well as the following data:

• Your IP address, which simply is a unique address that identifies your computer when it is connected to the Internet
• Your search words
• The operating system and Internet browser that you are using; and
• The information downloaded by you (such as web pages, document files, and software), and the time of such downloading.

The above data will be used only for statistical purposes, to analyze the frequency of users visiting each page of our website so that we can improve our website or services.

If you contact us, register through any of our websites, or email us, we intend to use your Personal Data only in response to your requests or inquiries. If your consent is given as required by law, we may add your email address to your contact details for mailing purposes. You may opt out of receiving information about the Company, events, sales promotions, or products and/or services of the Company.

Cookies

As for any restricted parts of our website, we will use cookies, which are tools that recognize your device and record certain information during your visit to our website using the same device. Our website uses cookies in order to better respond to you when you use certain parts of the website. The information collected and analyzed by us includes information about your computer and connections, such as the type and version of the browser being used by you, the type and version of the browser plug-ins being used by you, your operating system, and your language preference. Such information does not relate to, and cannot identify, a person. You may change your browser settings so that your browser does not detect cookies, or disable cookies.

It is important that you do not share your password with anyone, and you do not allow any person to access your computer without your authorization. You should log out every time, if you access our website through a shared computer.

Log Files

We may automatically keep log files, which include IP addresses, error reports, activities, timestamps, and URLs. Such information may be associated with personally identifiable information, and must be retained for a time period as required by law.

CCTV

We use a CCTV system to record images of persons and vehicles around our premises, for public safety and for prevention and detection of crimes. Our CCTV cameras provide 24-hour footage of our entrance, lobby, balconies, outdoor parking areas, areas along our fence, and other accessible areas. The information is recorded for one month, and is then overwritten. Camera locations were chosen to avoid footage which is not related to the purpose of inspection and monitoring. We do not keep audio recordings.

Live feeds from our CCTV system can be examined, only in necessary circumstances, by an authorized person. We believe that live feeds and visual recordings are seen only by our authorized employees, who are directly responsible for access to such information. We respect your privacy. We do not have CCTV cameras in locations where privacy can be expected, such as toilets.

Other websites or applications

Our website and application on mobile phone may contain links to third-party websites provided by third parties or other agencies. We do not control those websites. If you follow those links, this Privacy Policy does not apply to third party websites. Please note that we cannot assume any responsibility for the use or any conduct of your personal data by such third parties because it is out of control of the company.

Before you disclose your personal data to any websites linked from our website, or any websites or mobile applications operated or made available by us for third parties, we recommend that you read their privacy policies, and the terms and conditions of such websites or applications.

7. Minors

We do not know the age of each visitor to our website. If you are a parent or guardian of a minor who provides their Personal Data to us without your knowledge and consent, you may contact us and request us to delete such data, in accordance with this Privacy Policy. For the purpose of this Policy, a minor is anyone who is below 20 years of age.

8. Consent

To the extent permitted by personal data protection law, when you use or access our website, or provide Personal Data to us, it shall be deemed that:

• You give consent to our collection, use, and processing of your Personal Data, for the purposes and by the methods specified above, which may be amended from time to time, unless and until you withdraw such consent. You may withdraw your consent at any time, by giving us written notice of your consent withdrawal. We can reject your request, if permitted by law; and
• You give consent to our disclosure, or the transfer, of your Personal Data to third parties, for the purposes and by the methods specified above. You may withdraw your consent anytime, by giving us written notice of your consent withdrawal.

If you provide Personal Data of another person, you must obtain prior consent from that person. In such event, you represent and warrant that you have obtained consent from that person, or you are otherwise entitled to provide Personal Data of such person to us. When you provide Personal Data of such person to us, it shall be deemed that you represent that such person acknowledges and gives consent under this privacy policy.

If applicable personal data protection law requires any additional consent, we, or any of our third-party service providers, will obtain your consent for the collection and use of your Personal Data at the time of collection.

You are obligated to provide your Personal Data to the Company to enable us to fulfil your requests, or to provide services to you, as requested. Your lack of approval for the collection, use, processing, or disclosure of certain types of Personal Data requested by us may result in our inability to fulfil our legal obligations, or perform our business, or conduct transactions with you.

9. Your rights

1. Right of withdrawal of consent: You may withdraw your consent at any time, unless it is otherwise specified by law. Withdrawal of your consent will not affect the lawfulness of any data processing based on your consent before its withdrawal.
2. Right to erasure of Personal Data: You have the right to request the erasure of your Personal Data that is in our possession or control, or request that such data be anonymized.
3. Right to data portability: You have the right to request the transfer of your Personal Data, in a commonly used and machine-readable format, to another controller, which is subject to legal requirements.
4. Right to object: You have the right to object to the collection, use, or disclosure of your Personal Data, or the cessation of our use of your Personal Data, except as requested in accordance with the relevant legal provisions.
5. Right to temporarily restrict the use of your Personal Data: You have the right to request that we restrict the processing of your Personal Data. That is, the Controller may continue to keep your Personal Data, but can no longer process such data, unless consent is given, or it is permitted by law.
6. Right of access: You have the right to request access to, and obtain a copy of, your Personal Data that is held by us. Any such request will take 30 days to process, unless otherwise specified by law.
7. Right to rectification: You have the right to request that we keep your Personal Data accurate, complete, and updated, which we do in every step of our procedures.
8. Right to complain: You have the right to file complaints with officers, or any supervisory authorities, in regard to personal data protection.

10. How to contact us ?

Should you have any questions about this privacy policy, or wish to exercise any of your rights concerning the Processing of your Personal Data, please contact us at: Praram9 Hospital ,99 Bangkapi Huai Khwang,Bangkok,10310 / E-mail [email protected] or Telephone number 1270

The following details must be provided to the company:

• Full Name, Identification Number / Passport Number
• The subject of contact purposes and details of the issues occurred
• Telephone number and reachable address, including an email address

11. Revisions of our Personal Data Protection Policy

We may review and amend this privacy policy from time to time, so that it corresponds with any amendments to the applicable law, including the law on personal data protection, or any changes in our technology, etc. We ask that you regularly visit our website for updates. When we update this Policy, we will inform users by displaying the message ‘Newly updated.’ after the link to this Privacy Policy on our website for 30 days. To comply with the legal requirements, we may seek your prior consent for changes to this Policy, if necessary.

Privacy Policy (Patients and any persons who have relationship with the patients) is effective from 27th May 2022.

Satian Pooprasert, M.D

Chief Executive Officer

Praram 9 Hospital Public Company Limited