ImagineHealth Company Limited (referred to as “Company”, “Imagine”, “we,” or “our”) is a medical travel facilitator that is always committed to conducting its business under good corporate governance, including recognizing the importance of data security and privacy where we intend to process your personal data with transparency.
The Company, as the data controller under the Personal Data Protection Act B.E. 2562 (A.D. 2019) (“PDPA”), is aware of the importance of protecting the personal data of patients, contacts, emergency contacts, and others who are involved with the Company (from now on referred to as “you” or “Data Subject”), we, therefore, announce this Privacy Notice (the “Notice“) to inform you of the protection of your personal data that is collected, used, disclosed or transferred (“process” or “processing”) to any other relevant persons by the Company.
We ensure that security protection measures of our standard will secure the processing of your personal data. We will not process your personal data for purposes other than those specified in this Notice unless you consent to it.
“Personal Data” refers to any information that identifies or can be used to identify you, which is collected by the Company as specified in this Notice.
“Sensitive Data” refers to personal data classified as sensitive data under the PDPA that the Company is permitted to collect, use, disclose, and/or transfer with your explicit consent, e.g., the information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, a natural person’s sexual orientation or criminal record, or data concerning health, disabilities, trade union membership, genetic data, biometric data, and other data that affect the Data Subject in the same manner.
2. Personal Data Collected by the Company
The Company will collect, use, disclose and/or transfer your Personal Data which includes, but is not limited to, the following:
2.1 General Personal Data
- Personal information, e.g., title, rank, position, first name, middle name, last name, age, date of birth, gender, photograph, nationality, country of residence, national I.D. card number, passport number, signature, and marital status.
- Contact information, e.g., address, mobile phone number, home phone number, and email address.
- Service information, e.g., the record of doctor’s appointments, room requirements, and other additional services.
- Educational information, e.g., educational background.
- Information appearing on legal documents, e.g., national I.D. card, passport, house registration, driver’s license, government official identification card, certificate of name/surname change, marriage certificate, divorce certificate, and birth certificate.
- Contact information and emergency contact information, e.g., first name, middle name, last name, relationship with patients, and mobile phone number.
- Information about the person who has the authority to act on behalf of the Data Subject (legal representative, guardian, and curator), e.g., name, surname, and national I.D. card.
- Financial information, e.g., billing information, credit or debit card information, and bank account details.
- Information on news subscriptions and marketing activities, e.g., seminar enrollment and promotion registration.
- Information from the Company’s websites, such as I.P. address, cookies, online doctor appointments, and online doctor consultations.
2.2 Sensitive Data
The Sensitive Data that we will collect, use, disclose, and/or transfer, e.g., information concerning religion, health, disabilities, genetic or biometric data, health history, a record of medication/food allergy, treatment result, physical examination result, laboratory result, diagnosis result, medical record, medical certificate, surgical record, radiograph imaging, blood type, picture/audio/animation from medical/surgery/operation procedures, as well as, information that appears in the copy of national I.D. card, e.g., religion and blood type. We will process your Sensitive Data only to the extent required by law or with your prior explicit consent.
3. Source of Your Personal Data
We may collect Personal Data you voluntarily release to us, whether through company service request forms, social media accounts, phone calls, or other forms filled out through the Company’s websites and applications such as appointment forms, inquiry forms, product purchase or service request forms, news subscription forms, including wearable medical devices.
We may receive your Personal Data from other sources, e.g., your family members or intimate persons, any other third party assigned by you to disclose your Personal Data, and Company’s, affiliated companies, representatives, or alliances of the Company.
4. Purposes and Legal Bases
4.1 We will process your personal data based on legal bases as provided below:
We rely on a contractual basis to process your Personal Data to, for instance,
- review your various application requests before entering into a contract;
- medical treatment rights’ claim,
- request payment;
- issue invoices and receipts;
- communicate for the purchase of products and/or services;
- perform contractual obligations;
- deliver products or services;
- proceed to collect or receive payment for products or services.
We rely on a legitimate interest to process your personal data to, for instance,
- verify your identity;
- send medical appointment reminders;
- collect contact information for future inquiries in case an emergency arises and the patient is unable to provide their information;
- provide or deliver services as requested;
- monitor and review the performance of a contractual obligation;
- provide post-sales services;
- manage customer relationships;
- send and follow up a questionnaire to assess customers’ service satisfaction;
- verify and confirm your identity before entering into transactions or contracts;
- financially and internal audit;
- monitor the accuracy of payments, billing, refunds, and compensation;
- monitor compliance with the Company’s regulations;
- investigate or verify facts;
- consult for the establishment of legal claim or proof in the legal process; and
- Your Personal Data may be disclosed to lawyers, legal and tax consultants, external auditors, internal auditors, financial auditors, and any other consultants involved in completing the purposes specified above.
We rely on legal obligations to process your Personal Data to comply with the laws related to medical facilities, for instance, new patient registration, doctor’s appointment, medical services, diagnosis, medical treatment, patient examination, preliminary physical examination, collection and use of contact person’s information to approve of or deny the request for medical treatment, medical benefits claim, and ethical and professional Compliance.
We rely on other legal obligations to process your personal data to, for instance, collect Personal Data as required by law, disclose or submit Personal Data to government agencies as required by law, and comply with applicable laws, regulations, orders of competent authorities, and court orders.
We rely on vital interests to process your personal data to prevent and suppress danger to life, body, or health, for instance, emergency contact.
If you have given your explicit consent, we will process your Personal Data to send news, advertisements, notifications, benefits, and promotions of products and services, beneficial campaigns, or invitations to the Company’s activities via all communication channels provided to the Company.
4.2 We will process your Sensitive Data based on legal bases as provided below:
We rely on legal obligations to process your Sensitive Data to achieve the objectives relating to preventive or occupational medicine, medical diagnosis, health or social services, medical treatments, and health management, for instance:
- Diagnosis and medical treatment;
- Symptoms examination and preliminary physical examination;
- Use of your data for laboratory diagnostics;
- Disclosure of your data to external laboratories or an external radiology room to conduct experiments and diagnosis;
- Processing genetic data to verify identity or relationships before organ transplantation; and Compliance with ethics and professional ethics.
We rely on public health purposes such as processing your health data for healthcare service quality improvement, contagion control, and prevention.
We rely on the necessity to process your Sensitive Data to establish and exercise legal claims as permitted by law, for instance, collecting patients’ medical expenses, invoicing, requesting patients to pay off the invoice, issuing a receipt, and examining patients’ billing and debt payment status.
We rely on vital interests to process your Sensitive Data to prevent and suppress dangers to life, body, or health, such as emergency contact.
If you have given your explicit consent, we will process your Sensitive Data for the purposes outlined in each of the following consent:
- Use of a copy of your national I.D. card that contains Sensitive Data such as religion and blood type to verify your identity;
- Disclosure of your health data to hospitals or medical facilities for patient referral that is not an emergency case;
- Disclosure of your health data and medical certificate to the insurance company to claim your health insurance benefit;
- Disclosure of your health data and medical certificate to your embassy, employer, agency, organization, governmental agencies, or any relevant person to collect payments for your medical services;
- Disclosure of your health data to the insurance company as requested by you or the insurer to enter into an insurance agreement;
- Disclosure of your health data to third parties such as your family members, relatives, dependents, or intimate persons upon their request;
- Disclosure of your health data, medical certificate, and health record to the airline for Fit for Air Travel;
- Disclosure of your health data to our business partners for purposes of developing medical products;
- Processing of your health data, biological samples, and the data obtained from such samples, and disclosure of such data to external laboratories for research and academic purposes.;
- De-identify your health data, biological samples, and the data obtained from such samples to be unidentifiable data for research and academic purposes.;
5. Disclosure of Your Personal Data
We will not disclose your Personal Data for a purpose other than the purposes specified herein unless having been consented to do so.
Personal Data that you have provided to us may be transferred outside Thailand and disclosed to our international agents or partners that you have contacted for our services. We will endeavor to ensure that your right to privacy is protected by security protection measures of our standard.
We may disclose your Personal Data to our group companies and affiliates, vendors, business partners, or third parties, e.g., insurance companies, financial institutions, primary doctors, medical professionals, medical specialists, and/or medical practitioners, medical technology clinics, manufacturers or distributors of drugs and medical supplies, embassy, the person who handle international travel, customer service provider, marketing, advertising and communication service providers, information system providers, cloud service provider, nearby hotels that are alliance with us, transport service providers, document storage service providers, debt collection service providers, accounting and legal consultants, external auditors, internal auditors, financial auditors, and your family, relatives, intimate persons, agencies or employers, and internal organizations such as Bureau Veritas, Joint Commission International (JCI), and Healthcare Accreditation Institute (Public Organization) (HAI). We may proceed with any other actions to complete the purposes specified in this Notice in order to benefit our services.
We will endeavor to ensure that these individuals and organizations will process your Personal Data strictly under this Notice and as permitted by law.
Where it is necessary to disclose your Personal Data to comply with the law, court orders, or orders of any governmental or regulatory agency such as the embassy, the Immigration Office, or relevant agencies to verify your Personal data to prevent fraud or corruption, we reserve the right to do so without your prior consent.
6. Collection of Personal Data of Minors, Incompetent Persons, and Quasi-Incompetent Persons
Where we must process the Personal Data of minors, incompetent persons, or quasi-incompetent persons, we shall have their parents, legal representative, guardian, or curator, as the case may be, consent on their behalf of them.
If a minor or a quasi-incompetent person is legally permitted to give consent on their behalf, we shall require combined consent from them and their legal representative.
If you become aware of the unauthorized collection of Personal Data from minors, incompetent persons, and quasi-incompetent persons without consent being given in the manner according to the above, you can exercise the rights of the Data Subject as the legal representative under the PDPA.
7. Retention Periods & Security Protection Measures
7.1 We will retain your Personal Data for as long as it is necessary to fulfill the purposes specified in this Notice. We may retain your Personal Data as long as agreed on in the contract or per accounting standards, prescription periods, legal obligations, or establishment or exercise of the legal claim as permitted by the law.
7.2 We have an examination system for deletion or destruction of Personal Data in the event of the expiration of the retention period or if such Personal Data is unrelated to or beyond the necessary collection specified by this Notice.
7.3 We will retain your Personal Data in the form of documents, electronic files, computer systems, or other means to ensure that your Personal Data is protected with secured and trustworthy security protection measures of international standard against loss, and unauthorized or unlawful access, use, change, modification, and disclosure.
7.4 We have limited access to your Personal Data and adopted technology to secure your data from cyber-attacks and unauthorized access to our computer and electronic systems. We further ensure that any processing of your personal data by data processors or other third parties will occur under appropriate monitoring.
8. Data Subject’s Right
8.1 Under the PDPA, you, as the Data Subject, are entitled to:
- Request access to, or copies of, your Personal Data collected, used, and disclosed by the Company.
- Request receive or transfer of your Personal Data, in a form collected by us and readable, usable, and disclosable in an electronic format, to another party (the Company reserves the right to charge you a fee, the amount of which is at our discretion.)
- Object to the collection, use, and/or disclosure of Personal Data to the extent permitted by law.
- Have your Personal Data deleted, destroyed, or anonymized by any method permitted by law.
- Sequester your Personal Data from further use by any method unless the law provides otherwise.
- Withdraw your consent given to us at any time unless otherwise restricted by law or contracts. Your withdrawal will not extend to Personal Data to which you have granted consent for processing.
- File a complaint with the competent officer authorized under the PDPA if you believe we have violated, or do not comply with, the PDPA.
- We will endeavor to maintain the accuracy and completeness of your Personal Data. When there is a change or modification to your Personal Data or when you detect that your Personal Data is incorrect, you have the right to make corrections to that.
8.2 The exercise of your rights specified above must comply with the law. Accordingly, the Company reserves the right to refuse any request on grounds permitted by law. If we deny your request, the reason for denial will be recorded in the personal data processing record as required by law.
8.3 The exercise of your rights specified above must comply with the law. The Company reserves the right to refuse any request on grounds permitted by law. If we deny your request, the demand and reasons for denial will be recorded as required by law
8.4 To exercise your right, you may contact us via the contact information provided hereunder. We will process your request and then inform you of the result within 30 days of receiving your request. Where we refuse your request, you will be notified of the reason accordingly.
We reserve the right to alter, adjust, and/or modify this Notice to comply with applicable guidelines, laws, and regulations. If such changes occur, we will inform you of the amended, adjusted, or modified content in the designated channel as soon as it becomes effective. New Notice will only apply to you upon using the service after the revision.
10. Contact Us
Should you wish to exercise any legal rights as specified above or have any questions, concerns, suggestions, or complaints about our privacy notice, you can contact us via the following channels:
ImagineHealth Company Limited
2nd Floor, 252 Krung Thonburi Road Soi Sathorn Mansion 1,
Khlong Ton Sai, Khlong San District, Bangkok 10600
Data Protection Officer (DPO)
Email: [email protected]
ImagineHealth Company Limited
01 January 2023