BSL Clinic Co., Ltd. (“the Company”) respects and values the privacy rights concerning your personal data and is responsible for safeguarding your personal data under its care. The Company is committed to managing such data securely and reliably.
In this regard, BSL Clinic Co., Ltd. has prepared this Privacy Notice for Employees (“Notice”) to explain how personal data and sensitive personal data are handled, and to provide details about the collection, use, disclosure, and purposes for which the Company processes personal data, along with informing you of your rights. The details are as follows:
1. Definitions
“Employee”
means a job applicant who has been selected to enter into an employment contract with BSL Clinic Co., Ltd. to work for the company as a permanent employee, contracted employee, temporary employee, outsourced employee, or freelance worker, depending on the case.
“Affiliate company”
means an affiliated company and other related companies that have mutual agreements or those for which you consent to the processing of personal data.
“Personal data”
means information about an individual that can identify that individual directly or indirectly, but does not include information about deceased persons specifically.
“Sensitive personal data”
means personal data related to race, ethnicity, political opinions, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union membership, genetic data, biometric data, or any other data that impacts the data subject similarly as specified by the Personal Data Protection Committee.
“Personal data provided by third parties or data that the company obtains from third parties”
means other personal data for which you certify to the company that you have obtained consent from the individual to disclose such data to the company, including consenting for the company to process such personal data for the purposes stated in this notice, including name, surname, occupation, workplace, and contact details (telephone number) of your spouse, children, father, mother, or emergency contact person, as well as persons you reference for employment verification and/or employment guarantors, including data from third parties about behavioral details related to you.
2. Types of Personal Data
BSL Clinic Co., Ltd. collects your information, which may include the following, and may vary depending on the case and the nature of the activities for which the company needs to process your data.
2.1 Personal information such as name, surname, date of birth, age, gender, weight, height, national ID number, photo, signature, nationality, religion, marital status, military status
2.2 Contact information such as home address, phone number, email, Line ID, publicly available Facebook information, Instagram, and other similar information
2.3 Educational and training information such as educational history, institution names, faculty, field of study, graduation year, academic results, test results, training or internship history, certificates listed in the application, abilities, professional qualifications, language skills, and other qualifications
2.4 Previous employment information such as work history, job positions, salary, performance evaluation
2.5 Job application information such as personal details, work history, cover letter, information provided in documents submitted to the company such as Resume/Curriculum Vitae (CV), expected salary, job interview information, self-introduction video, information disclosed during the interview, reference letters, and interview evaluation forms, other necessary recruitment and selection data including evaluation results, knowledge and experience, personal characteristics, teamwork, and supporting documents
2.6 Documents for job application or legal procedures such as a copy of the ID card, name change certificate, house registration, military service certificate, bank account book, work permit, identification documents, position-related licenses, beneficiary nomination form, social security registration form, consent forms for background checks, criminal record checks, background check results, employment guarantee letters, and documents with employment guarantor’s details
2.7 Work-related information such as employee ID, job position, department, performance evaluation, work behavior, achievements and/or awards, contract compliance data, benefits and welfare information, training records, disciplinary action records, transfer, appointment, promotion documents, participation in company activities, work goals, behavior or discipline records, resignation letter and reason for resignation, and termination details
2.8 Security-related information such as records of using company systems, access records to work locations, accident reports, and workplace safety, work-related travel or job-related activities
2.9 Benefits and compensation information such as salary, wages, compensation, bonuses, welfare details, bank account numbers, salary deduction consent forms, beneficiary details, social security information, tax details, tax deduction information, health benefits, and other personal data on medical certificates, annual health reports, maternity leave forms, etc.
2.10 Registration statistics such as start date, probation completion date, work entry times, total working hours, overtime hours, annual vacation days, leave requests, leave details, and leave reasons
2.11 Data from various tests such as personality, behavior, attitude, aptitude, skills, leadership ability, teamwork skills, emotional intelligence, discipline, or other characteristics, which may be observed and analyzed by the company while you participate in activities with affiliated or related companies
2.12 Technical data such as computer traffic (logs), IP address, data collected by cookies or similar technologies, including communication and usage data related to computer equipment, internet, email, and company communication devices during work
2.13 Other data such as audio, still images, and/or videos captured by CCTV, and any other data from participating in activities or campaigns organized by affiliated companies or related companies
2.14 Third-party data provided by you or obtained by the company from third parties such as other personal data that you certify to the company that you have received consent from the individual to disclose the data to the company, including consenting to the company processing the individual’s personal data for the purposes specified in this notice, including name, surname, occupation, workplace, and phone number of your spouse, children, father, mother, or emergency contact persons that the company may contact, or persons you reference for verification and employment guarantees, including details provided by third parties about the employee’s behavior
2.15 Other personal data consented to during employment, such as data you have consented to provide to the company during employment or participation in activities with the company or affiliated companies.
3. Sensitive Personal Data
3.1 If necessary, the Company will process your sensitive personal data with your explicit consent, which will be provided through a specific consent form for sensitive data processing. The Company will make its best effort to implement adequate security measures to protect your sensitive personal data. The Company will process such sensitive personal data for the purposes legally defined and for the purposes the Company has informed you of, in the following cases:
3.1.1 Health data: Such as chronic diseases, color blindness, physical check-up results, blood type, medical certificates, and medical history, for the purpose of labor protection, social security, medical welfare benefits for employees as per their rights, assessing work ability, and complying with relevant laws.
3.1.2 Biometric data: Such as fingerprint and facial recognition data, for the purpose of recording entry and exit from the workplace or company locations, identifying and verifying your identity, workplace security, and crime prevention.
3.1.3 Criminal history data: Which will be collected from documents you provide or through your consent for verification by the legally authorized agency (the Royal Thai Police) to assess suitability for employment, for certain positions determined by the Company.
3.1.4 Religious data: To provide appropriate facilities, activities, and welfare for employees, as well as for the management of employee care in an equal and fair manner based on human rights principles.
3.1.5 Other sensitive personal data for legitimate purposes, such as to prevent or suppress danger to a person’s life, body, or health in cases where you cannot give consent, and for data disclosed publicly with your explicit consent, to exercise legal claims, and to achieve objectives related to labor protection, social security, and employee welfare.
3.2 If you do not wish for the Company to collect, use, or disclose your sensitive personal data, you may refuse the processing by not giving consent on the consent form or by withdrawing your consent at a later time by contacting:
In the event that you do not wish for your sensitive personal data, as specified in clause 3.1, to be processed, but such sensitive personal data appears on your national ID card, house registration, or any other documents that you have voluntarily disclosed to the Company, such as race, blood type, or religious information, and you have submitted any such documents to the Company, whether in physical or other media, the Company recommends that you redact this sensitive information yourself by striking it out.
However, if you do not redact the information yourself, the Company will deem that you have explicitly permitted the Company to redact this information for you. The documents you submitted, with the sensitive data redacted by the Company, will be considered complete and legally enforceable. The Company may then process it under the Personal Data Protection Act B.E. 2562 (2019). In the event that the Company is unable to redact the sensitive information due to technical or other issues, the Company will only store this sensitive information as part of your identity verification documents.
4. Sources of Personal Data
Generally, the Company collects and receives your personal data directly from you, which may be in the form of documents or electronic data, or you may be required to fill in data on documents prepared by the Company or on online platforms designated by the Company. However, due to the nature of some activities, there may be cases where the Company needs to process some of your data, which may be received from sources other than yourself. The details of the channels for obtaining this data are as follows:
4.1 Personal Data You Provide Directly to the Company
You may provide personal data directly to the Company, for example, when you submit a job application and supporting documents, data collected during your employment, data you specify or make public through social media or websites used for work such as Workplace or Google, including data obtained from entering into a contract with the Company and data from submitting various documents containing your personal data to the Company.
4.2 Personal Data the Company Collects from You Automatically
The Company may automatically collect your personal data through various channels, such as through the use of cookies or similar technologies. For more details, please see the Cookie Policy.
4.3 Personal Data the Company Receives from Third Parties
In cases where the Company receives your personal data from a third party and/or any other individual who is a data controller or processor, the Company acts on the good faith belief that those individuals have the right to process the personal data and have the right to disclose it to the Company. This includes data obtained from telephone conversations and data from various forms and documents that arise during work with the Company.
5. Purpose and Legal Basis for Processing
5.1 The Company processes employee data for the purpose of fulfilling employment contracts and any other contracts you have with the Company. The Company requires your personal data to be accurate and complete. If you do not wish to provide such personal data to the Company, it may have legal implications or prevent the Company from performing its duties, granting rights under the contract, or entering into a contract with you (as the case may be). In such cases, the Company may need to refuse to enter into a contract with you or grant all or some of the related benefits.
5.2 In cases where the Company will process your personal data in a manner and/or for a purpose that is not consistent with the specified purposes, the Company will provide an additional privacy notice and/or inform you to explain such data processing. You should read the relevant additional notice in conjunction with this notice and/or the aforementioned letter (as the case may be).
5.3 The Company may process personal data by relying on or citing (1) the basis of consent to process your data, (2) the basis of contractual performance for initiating, entering into, or fulfilling a contract with you, (3) the basis of the Company’s legal duty, (4) the basis of the legitimate interests of the Company and third parties, (5) the basis of preventing or suppressing danger to a person’s life, body, or health, and/or (6) the basis of public interest for carrying out a mission for the public good or performing duties in the exercise of state authority, or other legal bases as stipulated by the Personal Data Protection Act, as the case may be. The Company will process your data by separating it according to the activities the Company performs under the legal bases for processing personal data as specified in this table.
No.
Purpose
Legal Basis for Processing
1
To process your job application with the Company, including selection, recruitment procedures, qualification verification, as well as fulfilling the employment contract, paying compensation, and providing various benefits.
Contractual Performance/ Legitimate Interest
2
Employee registration, preparing employee ID cards, materials, equipment, computers, mobile phones, email, and usernames & passwords for necessary system access and other preparations for employee work.
Contractual Performance
3
Drafting or renewing visas and work permits, requesting permit renewals related to employee work, storing license information and revocation data (for positions where a license is legally required), and updating information in the database.
Contractual Performance/ Legal Duty
4
Recording information about chronic diseases, health check-up results, communicable diseases, and pre-employment health checks (including disclosing my personal data to and receiving check-up results from partner hospitals) and annual health check-ups as per company regulations or legal requirements, for labor protection, work ability assessment, social security registration, and employee medical welfare benefits in accordance with company regulations.
Contractual Performance/ Consent
5
Collecting employees’ biometric data, such as fingerprint and facial recognition data, to record entry to and exit from the workplace or company locations, to identify and verify your identity, for workplace security, and for crime prevention.
Consent
6
Collecting criminal history data to consider suitability for employment.
Consent
7
Collecting information about religion to facilitate appropriate facilities, activities, and welfare for employees, as well as for the management of employee care in an equal and fair manner based on human rights principles.
Consent
8
Administering payroll, compensation, wages, bonuses, overtime pay, accommodation allowances, travel expenses, and various benefits to employees.
Contractual Performance / Legal Duty
9
Managing Social Security Funds, Workmen’s Compensation Funds, and employee tax matters, such as withholding income tax and tax-deduction-related documents.
Contractual Performance / Legal Duty
10
Administration of prevention and mitigation measures for accidents and disasters, monitoring and maintaining order, and ensuring the safety of individuals and company property.
Contractual Performance / Legitimate Interest
11
Transporting an employee to the hospital in case of an emergency or danger to their life or body.
Preventing or suppressing danger to a person’s life, body, or health.
12
The establishment of legal claims, compliance with or exercise of legal claims, or the defense against claims by the Company in various legal proceedings.
Legitimate Interest
13
Sending employee data to external service providers for compensation data surveying and analysis, payroll processing, performance evaluation, background checks, and testing employee qualifications and abilities.
Contractual Performance/ Legitimate Interest
14
Announcing birthdays, congratulating employees on the birth of a child, and expressing condolences for the loss of a family member.
Legitimate Interest / Consent
15
Managing activities related to employee employment throughout the period of work, such as using employee data for references as per contracts between the company and its partners or customers.
Contractual Performance/Legitimate Interest
16
Taking still photos, videos, ceremonial photos, and general atmosphere shots at birthday parties, New Year’s parties, social gatherings, meetings, training sessions, seminars, and various other events.
Contractual Performance/Legitimate Interest
17
Administering matters related to holidays, leaves, absences, and details of participation in activities.
Contractual Performance
18
Administration of advertising and public relations media where employees act as presenters or appear as part of the company’s advertising and public relations materials.
Contractual Performance / Consent
19
Responding to surveys and providing various feedback related to and arising from work performance.
Contractual Performance/Legitimate Interest
20
Announcing lists of employees, contact information, new employee announcements, and announcements of resignation or termination. Announcing outstanding employees or those selected as outstanding employees or receiving awards. Announcing employee promotions and branch transfers.
Legitimate Interest
21
Garnishing salary or other compensation as per a court order, an order from the Legal Execution Department, or an order from the official receiver in a bankruptcy case.
Legal Duty
22
Training history and results, test results, evaluations, and knowledge, attitude, and various other assessments for employees, including setting work goals and analyzing your characteristics such as habits, behavior, attitude, aptitude, skills, and leadership qualities while you participate in activities with the company or its affiliates.
Contractual Performance/Legitimate Interest
23
Recording employee evaluation results from colleagues, employers, and employees, as well as recording work performance, financial history, and criminal history to consider position adjustments, salary increases, and special compensation or bonus payments.
Contractual Performance/Legitimate Interest
24
Investigation of fraudulent behavior or actions that violate the law, company regulations, and work rules. Consideration of and imposing disciplinary action. Taking any necessary legal action or measures to exercise rights under contracts and laws.
Contractual Performance / Legal Duty
25
Submitting reports on employee fraud to regulatory agencies and competent authorities as required by law, such as the police, the Anti-Money Laundering Office (AMLO), the Revenue Department, the Legal Execution Department, and the Royal Thai Police.
Legal Duty
26
Managing employee resignation, retirement, and termination for the purpose of disclosing information to relevant agencies such as the Revenue Department, banks, and the Social Security Office.
Contractual Performance / Legal Duty
27
To prevent and suppress danger to your life, body, or health, or that of others. This includes emergency contact, check-up results, and measures for preventing and controlling infectious diseases, as well as recording your temperature and travel history.
Preventing or suppressing danger to a person’s life, body, or health / Legitimate Interest / Legal Duty
6. Disclosure of Personal Data
6.1 The Company may disclose your personal data for the purposes stated and as permitted by law to the following individuals and entities:
6.1.1 Affiliated companies and other related companies. This includes executives, directors, employees, and/or internal personnel of such companies, to the extent necessary for processing your personal data.
6.1.2 Service providers related to recruitment, hiring, employment, payroll, security, background checks, qualification and skills testing, third-party platforms and websites, partner clinics (for pre-employment health checks), and other necessary information system developers provided by the company. This is done to enable the company to operate its business and provide services to employees, and where it is reasonably necessary to disclose your personal data to achieve the company’s business objectives.
6.1.3 Affiliated companies, other related companies, partners, employers, consultants, and the company’s customers. This also includes parties the company bids for or offers to sell goods or services to, as well as any other third parties for whom disclosure of your personal data is reasonably necessary.
6.1.4 Authorized government agencies such as the Royal Thai Police, the Office of the Attorney General, courts, inquiry officials, public prosecutors, the Legal Execution Department, official receivers, the Social Security Office, the Revenue Department, government officials, officials from the Department of Labour Protection and Welfare, or any other organization with the legal authority to request personal data. This may also include disclosure to government agencies and officials for the purpose of the company’s own legal proceedings.
6.1.5 Parties involved in corporate restructuring or mergers. The company may need to transfer its rights to such entities and may need to share data for these purposes.
6.1.6 Data processors, who are external service providers that need access to personal data to perform their duties in processing data according to the company’s instructions, as specified in the Data Processing Agreement (DPA) between the data controller and the data processor. This also includes those who act on behalf of or with the company to achieve the relevant purposes stated in this notice and for whom obtaining your personal data is necessary.
6.2 The company will require the data recipients to have appropriate measures in place to protect your data and will process the personal data only as necessary. The company will also take steps to prevent unauthorized use or disclosure of personal data and will only operate under the purposes specified in this notice or other purposes permitted by law. In cases where the law requires your consent, the company will seek your consent first.
7. Transfer or Transfer of Personal Data to Other Branches
The Company may store your data on computer servers or clouds provided by others and may use third-party software or applications in the form of Software-as-a-Service (SaaS) and Platform-as-a-Service (PaaS) to process your personal data. However, the Company will not allow unrelated persons to access personal data and will require those other persons to have appropriate security measures.
8. Personal Data Processing Period
8.1 The Company will retain personal data only for as long as necessary for the purposes of processing, as specified in this notice, as follows:
8.1.2 The Company will retain employee personal data for a period of 5 (five) years from the month following the termination of the employment contract.
8.1.3 The Company will retain employees’ sensitive personal data, including fingerprint and facial recognition data, and religious information, for a period of 5 (five) years from the month following the termination of the employment contract.
8.1.4 The Company will retain sensitive personal data, including criminal history and health data, for a period of 5 (five) years from the month following the termination of the employment contract.
8.1.5 In cases where the Company uses your personal data with your consent, the Company will process such data until you notify us of your withdrawal of consent. If you exercise your rights as specified in this notice, the Company will retain proof of your exercise of rights under the personal data protection law for 5 (five) years from the month in which the Company completes its consideration of your request.
8.2 In other cases, the Company may retain your personal data for as long as reasonably necessary to fulfill its obligations and achieve the purposes set out in this notice. If the retention period cannot be clearly defined, the Company will retain the data for a period that can be reasonably expected according to data collection standards (e.g., a general legal statute of limitations of up to 10 years). However, in the event of legal proceedings, your personal data may be stored until the conclusion of such proceedings, including any period necessary to achieve the objectives. After that, your data will be deleted or stored as permitted by law.
8.3 Upon the expiration of the specified period, the Company will delete, destroy, or anonymize the personal data so that the individual cannot be identified, or take any other action required by personal data protection laws to ensure effective data protection. However, the Company will retain some data longer than stated above if it is necessary to comply with the law, follow an order from a competent official or government agency, and for legitimate business or legal purposes.
9. Rights of the Data Subject
The Company respects your privacy rights and provides you with the option to control how the company contacts you. The Company will comply with your requests to promote transparency, data quality, and data accuracy. You have rights under the Personal Data Protection Act. You can submit a written request to the Company through the specified channels to exercise the following rights:
9.1 Right to Withdraw Consent If you have given consent for the processing of your personal data (whether before or after the Personal Data Protection Act became effective), you have the right to withdraw that consent at any time while the company holds your personal data.
The Company would like to inform you that withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal, unless the right is restricted by law, is impossible to withdraw by its nature, or there is a contract between you and the company that benefits you. It may also result in the company being unable to perform some or all of the purposes specified in this document.
9.2 Right to Access Data You have the right to request access to your personal data under the company’s responsibility and to request a copy of such data. You also have the right to ask the company to disclose how it obtained your personal data, unless the company has the right to refuse your request by law or a court order, or if your request may cause harm to the rights and freedoms of others.
9.3 Right to Data Portability
You have the right to request the transfer of your personal data when the company has formatted the data in a machine-readable, usable, or automatically-operable format. You also have the right to request that the company send or transfer such data to another data controller automatically, and to receive the personal data that the company sent or transferred directly to another data controller, unless it is technically impossible to do so.
This right applies to personal data that you have consented to the company processing, or data that the company needs to process for you to use the company’s services as per your contract, or to comply with your request before using the service, or other personal data as determined by the competent legal authority.
9.4 Right to Object You have the right to object to the processing of your personal data at any time if the processing is performed for the company’s or another person’s or entity’s legitimate interests, provided that it does not exceed what you can reasonably expect, or if the processing is for a public interest mission or for scientific or statistical research purposes. If you object, the company will continue to process your personal data only if the company can demonstrate a legal reason that outweighs your fundamental rights or is for the establishment, exercise, or defense of legal claims, as the case may be.
9.5 Right to Erasure You have the right to request the erasure or destruction of your personal data, or to make it unidentifiable, if you believe your personal data has been unlawfully processed, or you believe the company is no longer necessary to retain it for the purposes specified in this notice, or when the company believes it can comply with your request to withdraw consent or object as mentioned above.
9.6 Right to Restriction of Processing You have the right to request a temporary suspension of the use of your personal data while the company is in the process of reviewing your request to correct or object to the data. This right also applies in cases where the company is no longer necessary to retain your personal data and must delete or destroy it under relevant law, but you request to suspend the use of your personal data instead.
9.7 Right to Rectification You have the right to request the correction of your personal data to be accurate, current, complete, and not misleading. If you wish to correct image-related data, the company will only correct the data items related to your images as necessary for the company’s legitimate purposes. In cases where the request incurs costs, the company may charge you for them.
9.8 Right to Lodge a Complaint You have the right to file a complaint with the company through the Personal Data Processing Complaint Form or with the relevant legal authority if you believe that the processing of your personal data violates or does not comply with relevant laws.
The Company will make its best effort to act within a reasonable timeframe, not exceeding 30 days from the receipt of the request. However, the Company reserves the right to deny your request in cases where there are legal exceptions, or if the Company cannot fulfill its contractual obligations, or if it impacts the performance of contractual duties, or if the denial is based on a court order. The Company may also deny the request if complying with it could potentially cause harm to the rights and freedoms of others. The Company will record the denial of the request and the reasons for it. If it is clear that your request is unreasonable or excessive, the Company reserves the right to charge a fee for processing your request at a rate determined by the Company.
10.2 The Company will make its best effort, within the capabilities of the relevant systems, to facilitate and act on your requests, unless it is evident that complying with the request would risk violating the rights and freedoms of other users, or would be against the law or system security policies, or if it is practically impossible to fulfill the request due to technical reasons.
10.3 In certain situations, the Company may ask you to verify your identity before you can exercise your rights, for your own security. There may be some limitations on exercising your rights, and the Company will inform you if it cannot fulfill your request.
10.4 If the Company processes your personal data based on contractual performance, legitimate interest, or legal duty, the Company has the right to deny your request to object, suspend the use or disclosure of your personal data, or to delete or destroy your personal data. The Company may also deny your request if it is necessary to continue retaining the data.
10.5 The Company must inform you that there may be limitations on exercising some of your rights if the personal data is critically necessary for the Company to comply with legal obligations, maintain the security of the company and its surroundings, protect company property, ensure safety at events, and for your own safety.
11. Security Measures
The Company has established appropriate security measures for personal data to prevent loss, unauthorized access, use, alteration, modification, or disclosure of personal data that is not in accordance with the law. These measures are consistent with the Company’s information security policies and practices and its Privacy Policy.
12. Third-Party Information
If you provide personal data of any third party, such as a spouse, child, parent, family member, beneficiary, emergency contact person, reference, and other related individuals, you certify that you have the authority to provide their personal data and are responsible for ensuring that they allow the company to use such data in accordance with this notice. Furthermore, you are responsible for informing these individuals and obtaining their consent.
13. Contact Channels
The company has assigned BSL Clinic Company Limited as its personal data protection coordinator. If a data subject has any questions, wishes to exercise their rights as specified in this notice, or has further inquiries, they can contact the Data Protection Officer through the following channel:
Subject of personal data: Contact the Data Protection Officer.
The Company reserves the right to amend, review, and update this Privacy Notice, which will be effective upon its publication, without prior notice. This is to ensure the suitability and efficiency of our services. Therefore, the Company recommends that you read the Privacy Notice every time you visit or use the services from the Company or its website.
