BSL Clinic Co., Ltd. (“Company”) respects and attaches importance to the right of privacy regarding the personal data of the general public, such as individuals with legal relations and/or members of the general public who contact the Company, website users, individuals requesting information, contacts via Call Center, delivery personnel (messengers), payees, and survey respondents (“You”), and is responsible for safeguarding the security of your personal data under the supervision of the Company, and is committed to managing such data in a secure, safe, and reliable manner.
In this regard, the Company has prepared this Privacy Notice for the General Public (“Notice”) to explain the practices regarding personal data and sensitive personal data, and to clarify details concerning the collection, use, disclosure, and the purposes for which the Company processes personal data, as well as to inform you of your rights, with details as follows:
1. Types and Sources of Personal Data
The Company collects your data by requesting information directly from you, which may be in the form of documents or electronic data. You may be asked to fill in information on documents prepared by the Company, or to enter information into an online platform specified by the Company and/or by any other methods. However, due to the nature of certain activities, the Company is required to process some of your data, which may be information that the Company has received from sources other than directly from you. In this regard, the personal data collected by the Company from you may vary depending on the circumstances and the nature of the activities for which the Company needs to process your data.
1.1 General Personal Data
1.1.1 Personal details such as title, first name, last name, date of birth, signature
1.1.2 Contact details such as address, contact location, telephone number, and email
1.1.3 Documents issued by government agencies such as identification card, driving license, including any other documents used for identification and verification
1.1.4 Membership information, details regarding your relationship with the Company, channels and methods by which you interact with the Company, details of exercising rights, and complaints related to products and services
1.1.5 Market research data, questionnaires, feedback, and customer survey information
1.1.6 Device and software information, computer identification number (IP address), technical specifications and unique identifiers such as cookies, web beacons, logs, device ID, type of device, network, connection data, access data, login log, access time, duration of time spent on the Company’s pages
1.1.7 Social media account information, such as usage details, search history, browsing data, responses to the Company’s advertisements, including content you view, links clicked, features you use, and service requests, website usage data, platforms, and searches for the Company’s products and services
1.1.8 Interaction and communication data in case you contact the Company, including data you choose to share and disclose through the Company’s applications, tools, questionnaires, and services, in any form or method, which may include images or audio, telephone, email, conversation messages, and communications via social media
1.2 Sensitive Personal Data
The Company has no intention to collect, gather, use, or disclose your sensitive personal data. However, if such information appears on your identification card, house registration, or any other documents that you voluntarily disclose to the Company, such as race or religious information, and you submit any information containing such details to the Company, whether in the form of documents or other media, the Company recommends that you redact such sensitive personal data yourself by crossing out the sensitive information. However, if you do not redact the information yourself, the Company will deem that you have explicitly consented for the Company to redact such information on your behalf, and the information you have provided, once the Company has redacted the sensitive data for you, shall be deemed a complete document legally enforceable in all respects and may be processed by the Company under the Personal Data Protection Act B.E. 2562 (2019). In the event that the Company is unable to redact the sensitive data due to technical or other issues, the Company will retain such sensitive information solely as part of your identity verification documents.
1.3 Your Personal Data from Third Parties, Customers of the Company
The Company has no intention to collect, gather, use, or disclose your sensitive personal data. However, if such information appears on your identification card, house registration, or any other documents that you voluntarily disclose to the Company, such as race or religious information, and you submit any information containing such details to the Company, whether in the form of documents or other media, the Company recommends that you redact such sensitive personal data yourself by crossing out the sensitive information. However, if you do not redact the information yourself, the Company will deem that you have explicitly consented for the Company to redact such information on your behalf, and the information you have provided, once the Company has redacted the sensitive data for you, shall be deemed a complete document legally enforceable in all respects and may be processed by the Company under the Personal Data Protection Act B.E. 2562 (2019). In the event that the Company is unable to redact the sensitive data due to technical or other issues, the Company will retain such sensitive information solely as part of your identity verification documents.
2.Purposes and Legal Bases for Processing Personal Data
2.1 The Company processes your data in cases where you are required to provide personal data for the performance of a contract and/or compliance with applicable laws, and under lawful purposes in fulfilling the contract between you and the Company. If you do not wish to provide such personal data to the Company, it may have legal consequences, or it may result in the Company being unable to perform its duties under the contract entered into with you, or being unable to enter into a contract with you (as the case may be). In such cases, the Company may be required to refuse entering into a contract with you, or to refuse providing benefits related to you, whether in whole or in part.
2.2 The Company may rely on or refer to (1) the legal basis of consent to process your data; (2) the legal basis of contract performance for initiating, entering into, or performing a contract with you; (3) the legal basis of compliance with the Company’s legal obligations; (4) the legal basis of legitimate interests of the Company and third parties; (5) the legal basis of preventing or suppressing danger to a person’s life, body, or health; and/or (6) the legal basis of public interest for carrying out missions for the public benefit or performing duties in the exercise of state powers, or any other legal basis as prescribed by the Personal Data Protection Law, as the case may be. In this Privacy Notice, the Company will process your personal data in accordance with the following purposes and legal bases:
No.
Purpose
Legal Basis
1
To process computer traffic data from the use of the Company’s website and to comply with laws, regulations, rules, and orders of competent authorities under the law, such as compliance with subpoenas, court orders, orders of government agencies, supervisory authorities of the Company, or competent officials, including actions related to legal proceedings or litigation.
Compliance with the Law
2
For the purpose of providing services as requested, responding to inquiries, verifying identity for service use, providing consultation, providing clarification, preparing reports, and carrying out corrective actions according to your wishes, whether before entering into a contract with the Company or after entering into a contract with the Company, or as required by the Company’s rights and obligations towards you.
Performance of contract / for legitimate interests.
3
For the purpose of developing, maintaining, and improving access to services through the internet network, websites, mobile applications, and other online platforms.
For legitimate interests.
4
For the purpose of monitoring, preventing, and investigating fraud, money laundering, terrorism, misconduct, or other criminal activities.
For legitimate interests.
5
For the purpose of managing the relationship between the Company and you, such as customer care, satisfaction assessment, and investigating complaints received from you or from others.
For legitimate interests.
6
For the purpose of conducting surveys, needs assessments, and data analysis to develop and improve the quality of the Company’s products and services.
Consent.
7
For the purpose of sending information on discounts, promotions, news, marketing activities, and publicity messages through the channels you have provided.
Consent.
8
For the purpose of processing, analyzing, and researching products and services, and contacting you via telephone or the channels you have authorized, in order to provide targeted advertising based on your needs and interests.
Consent.
9
For the purpose of processing electronic transaction data and serving as evidence for payment, identity verification, or any legal transaction between you and the Company.
For legitimate interests / performance of contract.
10
For the purpose of preventing and mitigating dangers to the life, body, or health of you or others, such as emergency contact, communicable disease control, temperature recording, and your travel history.
To prevent or mitigate dangers to the life, body, or health of individuals / for legitimate interests / compliance with the law.
3. Disclosure of Personal Data
3.1 The Company may disclose your personal data under the specified purposes and in accordance with the law to the following persons and entities:
3.1.1 Affiliates, as listed on the website www.bslclinic.com, with which agreements have been entered into. This shall include executives, directors, employees, staff, and/or internal personnel of such companies, as relevant and necessary, for processing your personal data in order to fulfill your intended purposes in using the Company’s services. The Company may disclose your personal data under the specified purposes.
3.1.2 Government agencies and/or regulatory authorities for compliance with the law, such as the Anti-Money Laundering Office, the Revenue Department, the Stock Exchange of Thailand, the Royal Thai Police, and any other persons as required by relevant laws or regulations, as well as foreign agencies or organizations recognized by the regulators in Thailand for the purpose of legal compliance or in other specific cases.
3.1.3 Service providers and personal data processors engaged or authorized by the Company to manage or process personal data on behalf of the Company in providing various services. This also includes those acting in the name of, or in cooperation with, the Company to carry out related purposes as stated in this Notice, where it is necessary to access your personal data. Examples include providers of information technology services and technologies (such as cloud systems, blockchain systems, SMS services, or data analytics services), software and IT system providers, data recording services, payment services, auditing services, or any other services that may benefit you or relate to the Company’s business operations, where it is reasonably necessary to disclose your personal data to achieve the Company’s business purposes.
3.1.4 External parties, such as Call Center service providers, acting as personal data processors for the purposes of providing services as requested, responding to inquiries, verifying identity for service use, conducting needs and satisfaction surveys, and analyzing service data.
3.2 The Company shall require recipients of personal data to implement appropriate measures to protect your data and to process such personal data only as necessary. The Company will take action to prevent any unauthorized use or disclosure of personal data and shall process it only for the purposes specified in this Notice or as otherwise required by law. In cases where the law requires your consent, the Company will request your consent in advance.
4. Transfer or Transmission of Personal Data Abroad
The Company may store your data on computer servers or cloud services provided by third parties, and may use third-party programs or applications in the form of software-as-a-service (SaaS) or platform-as-a-service (PaaS) for processing your personal data. However, the Company will not permit any unrelated parties to access your personal data and will require such third parties to implement appropriate security and data protection measures.
In the event that the Company transfers or transmits your personal data abroad, the Company will ensure that the destination country, international organization, or foreign data recipient has an adequate level of personal data protection, or will ensure that such transfer or transmission complies with the requirements of the personal data protection laws. In certain cases, the Company may request your consent for the transfer or transmission of your personal data to such foreign countries.
5. Retention Period of Personal Data
5.1 The Company will retain personal data only as long as necessary for the purposes of processing, as specified in this Policy, which can be categorized as follows:
5.1.1 In cases where the Company processes your personal data based on your consent, the Company will continue processing such data until you withdraw your consent.
5.1.2 In cases where you provide information to the Company as a sender/receiver (messenger), payee, customer, service recipient, or as a representative of a contractual counterparty entering into a legal transaction with the Company, the Company will retain the data throughout the contract period and for an additional five (5) years from the year the relationship or contract ends.
5.1.3 In cases where you provide information to the Company as a contact person, inquirer, or Call Center contact (not as a customer or service recipient), the Company will retain the data for five (5) years from the month the relationship ends or the services provided to you are completed.
5.1.4 In cases of website visits, the Company will collect and retain the personal data of website users for five (5) years from the date of your website usage.
5.1.5 In cases where you provide information to the Company as a respondent to surveys or satisfaction assessments, the Company will retain your personal data for five (5) years from the year it was received.
5.1.6 In cases where rights are exercised under this Notice, the Company will retain records of exercising such rights under the Personal Data Protection Law for five (5) months from the month the Company completes the consideration of your request.
5.1.7 In other cases, the Company will retain your personal data for as long as reasonably necessary to fulfill its obligations and achieve the purposes set forth in this Notice. Where a clear retention period cannot be determined, the Company will retain the data for a period that can be reasonably expected in accordance with standard data retention practices (e.g., up to the maximum statutory limitation period of ten (10) years). In the event of legal proceedings, your personal data may be retained until the completion of such proceedings, including any period necessary to achieve the intended purposes. Afterward, your data will be deleted or retained only as permitted by law.
5.2 Upon the expiration of the specified retention period, the Company will delete, destroy, anonymize such personal data, or take other actions as required by the Personal Data Protection Law to ensure effective protection of personal data. However, the Company may retain certain data longer than the specified period if required by law, pursuant to orders of competent authorities or government agencies, or for legitimate business or legal purposes.
6. Rights of Personal Data Subjects
The Company respects your privacy rights and provides you with options to control how the Company contacts you. The Company will comply with your requests to ensure transparency, as well as the quality and accuracy of your personal data. You are entitled to the following rights under the Personal Data Protection Law, which may be exercised by submitting a written request to the Company through the designated channels:
6.1 Right to Withdraw Consent: If you have given consent for the processing of your personal data (whether before or after the enforcement of the Personal Data Protection Law), you have the right to withdraw such consent at any time while your personal data is with the Company. Withdrawal of consent does not affect the lawfulness of processing based on consent previously given, except where restricted by law, where consent cannot be withdrawn due to circumstances, or where a contract between you and the Company remains in effect for your benefit. Withdrawal of consent may result in the Company being unable to achieve certain purposes, in whole or in part, as specified in this Notice.
6.2 Right of Access: You have the right to access your personal data held by the Company and to request a copy thereof, as well as to request disclosure of how the Company obtained your personal data. This right is subject to exceptions where the Company is entitled to deny such requests under the law, a court order, or where your request could negatively affect the rights and freedoms of others.
6.3 Right to Data Portability: You have the right to request the transfer of your personal data in cases where the Company has arranged the data in a format that is readable or usable by automated tools or devices, and can be used or disclosed by automated means. You may also request that the Company transfer such data to another data controller where technically feasible, or to receive such data directly, except where technical obstacles prevent such transfer.
6.4 Right to Object: You have the right to object to the processing of your personal data at any time if such processing is carried out for legitimate interests of the Company or another person/entity, within reasonable expectations, for public interest tasks, for direct marketing purposes, or for scientific or statistical research. Upon objection, the Company will cease processing unless it can demonstrate overriding legal grounds, or where processing is necessary for legal claims, compliance, or defense in legal proceedings.
6.5 Right to Erasure (Right to be Forgotten): You have the right to request the deletion or destruction of your personal data, or to anonymize it, where you believe that your personal data has been unlawfully processed, where retention is no longer necessary for the purposes stated in this Notice, or where you have exercised your right to withdraw consent or object as mentioned above.
6.6 Right to Restrict Processing: You have the right to request the suspension of processing your personal data temporarily in cases where the Company is verifying a request for correction or objection, or in cases where the Company no longer requires retention under the applicable laws but you request restriction instead of deletion.
6.7 Right to Rectification: If you believe that your personal data is inaccurate, you may notify the Company to correct, update, or supplement your personal data so that it is accurate, complete, and not misleading. In the case of image-related data, the Company will correct only what is necessary and lawful. Where the request entails costs, the Company reserves the right to charge fees. If the Company refuses your request, it will record the refusal and the reasons as evidence.
6.8 Right to Lodge a Complaint: You have the right to lodge a complaint with the Company through its website by selecting the data processing complaint form on the Company’s website, if you believe that the processing of your personal data constitutes a violation of, or is inconsistent with, the applicable laws.
7. Exercising the Rights of Data Subjects
7.1 Any request to exercise your rights must be made in writing through the electronic system provided by the Company on its website, or by completing the Data Subject Rights Request Form. In the case where you wish to withdraw your consent, you may complete the Consent Withdrawal Request Form.
The Company will use its best efforts to process your request within a reasonable period of time and no later than one (1) month or thirty (30) business days from the date of receipt. However, the Company reserves the right to refuse your request in cases where legal exceptions apply, where fulfilling the request would prevent the Company from performing its contractual obligations, where it would affect the performance of contractual duties, where a court order requires refusal, or where fulfilling your request may adversely affect the rights and freedoms of others. In such cases, the Company will record the refusal together with the reasons. If it is evident that your request is manifestly unfounded or excessive, the Company reserves the right to charge a fee for processing your request at a rate determined by the Company.
7.2 The Company will make every effort, to the extent permitted by the relevant systems, to facilitate and process your requests, unless it is established that fulfilling such requests would risk violating the rights and freedoms of other users, conflict with applicable laws, or conflict with system security policies, or where it is impracticable to comply with the request due to technical reasons.
7.3 In certain circumstances, the Company may require you to verify your identity before exercising your rights for your own security. In some cases, there may be limitations on the exercise of certain rights, and the Company will provide clarification if it is unable to comply with your request.
7.4 In cases where the Company processes your personal data based on contractual obligations, legitimate interests, or legal obligations, the Company reserves the right to deny your request to object, restrict the use or disclosure of your personal data, or to request deletion or destruction of your personal data. The Company may also refuse to comply with your request if it is necessary to retain such data.
7.5 The Company must inform you that the exercise of certain rights may be subject to limitations where such personal data is strictly necessary for the Company to comply with its legal obligations, to ensure the security of the Company and its surrounding premises, its assets, the safety of activities conducted on its premises, and your own safety.
8. Security Measures
The Company has implemented appropriate security measures to protect personal data against loss, unauthorized access, use, alteration, modification, or disclosure, whether without authority or in violation of the law. These measures are in accordance with the Company’s information security policies and practices, as well as its Personal Data Protection Policy (Privacy Policy).
9. Contact Channels with the Company
BSL Clinic Co., Ltd. is the coordinator for personal data protection matters of BSL Clinic Co., Ltd. In cases where data subjects have any questions or wish to exercise their rights as specified in this Policy, they may contact the Company through the following channel:
For matters relating to personal data: Please contact the Data Protection Officer (DPO).
The Company reserves the right to amend, review, and update this Privacy Notice, which shall be effective as of the date of publication, without prior notice to you. Such amendments are made to ensure the appropriateness and effectiveness of the Company’s services. Therefore, the Company recommends that you read this Privacy Notice each time you visit or use the services of the Company or the website of the Company.
