Privacy Notice

For Customers and Service Recipients

BSL Clinic Co., Ltd. (“the Company”) respects and values the right to privacy and is committed to protecting the personal data of its customers and service recipients (“patients”). The Company recognizes the importance of the personal data that “patients” have entrusted to the Company.

Therefore, the Company has created this Privacy Notice to assure “patients” that the personal data they provide to the Company will be used according to their needs, in compliance with the law, and kept secure according to international standards for personal data protection.

1. What personal data does the company collect?

• 1.1 Personal data obtained from identity verification and registration with the company, such as title, first name, middle name, last name, date of birth, national ID number, nationality, email, phone number, and photo.
• 1.2 Social media account data, such as usernames, Facebook profiles, Line IDs, Twitter handles, Instagram accounts, etc.
• 1.3 Payment-related data, such as information on receipts.
• Search history data, such as browsing data, service requests, and responses to the company’s advertisements, including content viewed by “patients,” clicked links, and features used.
• 1.4 Data entered on the website and participation data, such as registration for campaigns, surveys, questionnaires, satisfaction assessments, feedback, and opinion polls, as well as details about exercising rights and complaints about products and services or similar items.
• 1.5 Interaction and communication data, including data that “patients” choose to share via the Call Center, systems, applications, and various company services, in any form or method, which may be images or audio, including but not limited to phone calls, emails, chat messages, and social media communications.
• 1.6 Personal data of “patients” under 18 years old must be authorized and certified by the “patient’s” guardian, confirming their consent to share the data with the company, such as the guardian’s phone number, address, status, and income, in cases where the “patient” provides the guardian’s information.
• 1.7 Technical data, such as computer traffic data (logs), IP addresses, and data that the company has collected through cookies or similar technologies.

2. Does the company collect a “patient’s” sensitive personal data?

The company’s policy is to not collect sensitive personal data related to a “patient’s” race, ethnicity, political opinions, cult beliefs, religion or philosophy, sexual behavior, criminal history, health data, disability, genetic data, biometric data, or any other similar data that may affect the “patient,” as per the Personal Data Protection Committee’s announcement.

When the company asks a “patient” to take a photo of their ID card to verify their identity before treatment or a doctor’s visit, it is solely for the purpose of checking the accuracy and verifying the “patient’s” identity with an admin via LINE. The company will immediately delete or destroy the copy of the “patient’s” ID card after verifying the name, last name, and national ID number shown on the card. The company has no intention of collecting, using, or storing sensitive personal data such as race, blood type, or religious information, even if such data appears on the national ID card.

3. How does the company obtain a “patient’s” personal data?

The company collects and receives a “patient’s” personal data through various channels:

• 3.1 Data directly provided by the “patient” when they apply for services, enter into a contract, submit documents, or participate in marketing or other activities organized by the company. This also includes when a “patient” submits a request to exercise their rights with the company or when they contact, inquire, or provide feedback—whether in writing or verbally—via the website, application, phone, email, post, in-person meetings, or any other method.
• 3.2 Data automatically collected by the company through various channels such as cookies or similar technologies. For more details, please see the Cookie Policy.

4. Personal Data Protection for “Patients” Under 18 Years Old

In cases where a “patient” is a minor under 18, or an incompetent or quasi-incompetent person who requires consent from a parent, guardian, curator, or custodian (as the case may be), the Company will seek consent directly from that person with parental authority. During the application process, the Company requires these individuals to apply on behalf of the “patient.”

The Company believes in good faith that the data it receives from these individuals is data that the Company has the right to process, and that these individuals have the right to disclose it to the Company. The person with parental authority can choose to apply and receive news and marketing activities on behalf of the “patient.” If they have agreed to receive such information from the Company, they have the right to withdraw that consent at any time. They can do so by changing their consent in the application’s settings or, if they no longer wish to receive emails or other information from the Company, by clicking the “unsubscribe” link in the email correspondence they receive. Furthermore, if they wish to exercise their rights under personal data protection laws, they can do so as detailed in this notice.

5. For what purposes does the company use a “patient’s” personal data?

The company will process personal data necessary for its operations with the following purposes:

6. “Patients” have the freedom to give consent.

The company will not condition consent as part of the treatment process. Patients can be assured that the company will use the data solely for the purposes the company has defined or for which the patient has given consent. In cases where the company intends to process a patient’s personal data in a manner and/or for purposes that are not consistent with the purposes defined, the company will implement additional policies or announcements regarding personal data protection and will inform the patient via the website or send an email to explain the processing of the data in such cases.

7. Does the company share the personal data of “patients”?

The company has implemented appropriate measures to protect personal data and to comply with the standards set by personal data protection laws. The company ensures that those individuals maintain personal data with secure and confidential measures and will not use it for purposes outside the scope defined by the company. The company may share the personal data of “patients” with the following individuals or organizations:

Government agencies responsible for legal supervision, or those who request personal data sharing under legal authority, or as authorized by the relevant laws, such as the Revenue Department and its officers, etc.

8. The company may store the personal data of “patients” on computer servers or cloud services provided by third parties.

The company may use third-party programs or applications in the form of software services and platform services to process personal data. However, the company will not allow unauthorized individuals to access personal data and will require these third parties to implement appropriate security measures to protect the data.

9. How does the company work with other platforms?

“Patients” can connect their accounts with the “Learn Anywhere” platform account for the purposes specified in this notice only.

10. How long does the company retain the personal data of “patients”?

The company will retain the personal data of “patients” for as long as necessary to achieve the purposes for which the personal data was processed. The retention period will depend on the specific purpose of the processing as follows:

• 10.1 In the case of data received from membership registration, the company will retain the personal data of “patients” as long as necessary to provide services to the “patients” and as long as the “patients” remain members. The data will be retained for an additional 5 (five) years from the end of the membership status or the termination of the relationship.
• 10.2 In the case of a request to exercise rights as specified in this notice, the company will retain the records of the exercise of rights under personal data protection laws for 5 (five) years from the month in which the company completes the request.
• 10.3 In other cases, the company will retain the personal data of “patients” for as long as necessary to achieve the purposes defined in this notice. If the retention period cannot be clearly determined, the company will retain the data for a period that can reasonably be expected according to the data collection standards (e.g., the statute of limitations under general law is up to 10 years). If legal proceedings are involved, the personal data of “patients” may be stored until the proceedings are completed, including any necessary period required to achieve the purposes. After that, the data will be deleted or retained in accordance with the law.
• 10.4 After the retention period has expired, the company will delete, destroy, or anonymize the personal data so that it can no longer be used to identify the data subject, or take other actions as required by personal data protection laws to ensure effective protection of personal data. However, the company may retain certain data for longer than specified above if necessary to comply with the law, for copyright-related investigations, or in compliance with orders from authorities or government agencies with jurisdiction, and for legitimate business purposes, such as safety, prevention of violations or misconduct, or for financial record-keeping purposes.

11. What rights do “patients” have under personal data protection laws?

The company respects the privacy rights of “patients” and provides them the opportunity to exercise their rights as defined by personal data protection laws as follows:

• 11.1 Right to withdraw consent: If “patients” have provided consent for the processing of personal data (whether the consent was given before or after the personal data protection law took effect), “patients” have the right to withdraw their consent at any time during the period in which their personal data is held by the company. Withdrawal of consent will not affect the processing of personal data that was lawfully processed prior to the withdrawal, unless the right to withdraw is restricted by law or by the nature of the contract between the “patient” and the company, which benefits the “patient” or may prevent the company from fulfilling part or all of the purposes outlined in this notice.

Withdrawal of consent may impact the “patient” in terms of service usage, such as not receiving benefits, promotions, new offers, or services that align with the “patient’s” needs, or not receiving valuable information. Therefore, to protect the “patient’s” interests, it is recommended to carefully consider and inquire about the potential consequences before exercising the right to withdraw consent.

• 11.2 Right to Access Personal Data:
  “Patients” have the right to access their personal data held by the company and request that the company provide a copy of such data. They may also ask the company to disclose how the company obtained their personal data, unless the company has the right to deny such requests by law or court order, or if the request may adversely affect the rights and freedoms of others.
• 11.3 Right to Data Portability:
  “Patients” have the right to request the company to transfer their personal data in cases where the data is in a format that is readable or usable by automated tools or devices, and can be shared or used by automated means. “Patients” also have the right to request that the company send or transfer such personal data to another data controller if it can be done automatically. “Patients” can request to directly receive personal data that has been transferred or sent to another data controller, unless it cannot be processed due to technical reasons.
• 11.4 Right to Object:
  “Patients” have the right to object to the processing of their personal data at any time if the processing is based on the legitimate interests of the company or any other person or legal entity within a scope that the “patient” can reasonably expect, or if it is for public interest purposes, marketing purposes, or for scientific or statistical research purposes.

If “patients” object, the company may continue to process their personal data only if it can demonstrate legal grounds that override the “patient’s” fundamental rights or for the establishment of legal claims, compliance with the law, or defense in legal proceedings, as applicable.

• 11.5 Right to Request Deletion or Destruction of Data:
  “Patients” have the right to request the deletion or destruction of their personal data, or to anonymize it so that it no longer identifies the “patient,” if they believe that their personal data has been processed unlawfully according to applicable laws, or if the company no longer needs to retain the data for the purposes specified in this notice. This also applies if the “patient” has exercised their right to withdraw consent or object as stated earlier.
• 11.6 Right to Request Suspension of Data Usage:
  “Patients” have the right to request the temporary suspension of the use of their personal data while the company is investigating a request for data correction or objection made by the “patient” or any other case where the company no longer needs to retain the data and should delete or destroy the personal data according to applicable laws, but the “patient” requests that the company suspend the use of the data instead.
• 11.7 Right to Request Data Correction:
  If “patients” believe that their personal data is inaccurate, they can notify the company to correct or update their personal data to ensure it is accurate, complete, and does not lead to misunderstandings.

In cases where the “patient” wishes to correct image-related data, the company will only correct the image data as necessary and in accordance with legal requirements. If fulfilling the correction request incurs costs, the company may charge for these expenses. If the company denies a “patient’s” request, the company will create a record of the denial along with the reasons for refusal.

• 11.8 Right to Lodge a Complaint:
  “Patients” have the right to lodge a complaint with the company through the website by selecting the data processing complaint form on the company’s website if the “patient” believes that the processing of personal data is carried out in a manner that violates or does not comply with the applicable laws.

12. How can “patients” exercise their rights under personal data protection laws?

• 12.1 In the case that a “patient” wishes to withdraw consent previously given, the “patient” can go to the settings in the application or can fill out the consent withdrawal request form via the company’s website. If the “patient” wishes to exercise other rights as stated in Section 11, the “patient” can fill out the personal data owner rights request form via the company’s website. The company will consider the request and notify the “patient” of the result within 30 (thirty) days from the date the company receives the request. However, the company may deny the exercise of rights under the conditions specified by law. If the company is unable to fulfill the “patient’s” request, the company will record the refusal and the reasons for it.
• 12.2 The company will make every effort, within the capabilities of the relevant systems, to facilitate and process the “patient’s” request unless it is found that the processing of such request would risk infringing the rights and freedoms of other users, or contradict the law, the system’s security policies, or is technically impossible to fulfill the request.
• 12.3 In some situations, the company may request that the “patient” verify their identity before exercising their rights for the patient’s own safety. There may be some limitations on the “patient’s” right to request, or there may be costs involved. The company will clarify to the “patient” if the request cannot be processed, or inform the “patient” if the company needs to charge fees for processing the “patient’s” request.

13. How does the company ensure the security of “patients'” personal data?

The company has established appropriate security measures to protect personal data from loss, unauthorized access, use, alteration, modification, or disclosure, in compliance with the law. These measures are in line with the company’s information security policies and personal data protection policies (Privacy Policy).

14. How can “patients” contact the company for further inquiries?

The company has designated a Data Protection Officer to coordinate matters related to personal data protection. If “patients” believe that the processing of their personal data does not comply with the Personal Data Protection Act B.E. 2562, or if they have suggestions, questions, or wish to inquire about the details of the collection, use, and/or disclosure of personal data, including exercising their rights under this notice, “patients” can contact or file complaints through the following channels:

For matters related to personal data: Contact the Data Protection Officer (DPO).

• Email: [email protected] and please complete the form Link
• Address: 30/8 Saladaeng Road, Silom Subdistrict, Bangrak District, Bangkok 10500
• Telephone: 099-343-8666
• Business hours: Daily, 10:00 a.m. – 8:00 p.m.

15. Will the Privacy Notice be amended or updated?

The company will regularly review the Privacy Notice to ensure it aligns with practices and relevant laws and regulations. If there are any changes to this Privacy Notice, the company will notify “patients” by updating the information on the company’s website as soon as possible. Therefore, the company recommends that “patients” read the Privacy Notice each time they visit or use the services of the company or its website.

Announced on May 31, 2022