Bangkok Skin and Laser Clinic Co., Ltd. (the “Company”) respects and values the privacy rights concerning personal data and is responsible for maintaining the security of your personal data under the Company’s supervision. The Company is committed to managing such data in a secure and reliable manner. For this reason, the Company has prepared this Privacy Notice for Photography or Videography (the “Notice”) to explain how the Company handles personal data and sensitive personal data, and to provide details regarding the collection, use, disclosure, and purposes for which the Company processes personal data, as well as to inform you of your rights, as follows:
1. Categories and Sources of Personal Data
The Company is required to process photographic data, whether recording still images or moving images of interviewees/commentators, award recipients, customers, or service recipients (“you”). The personal data processed by the Company may consist of still images or moving images during interviews, event activities, or group photographs taken after the completion of the activities (“Activities”). These are stored in paper form or electronic form on the Company’s data recording devices, which may also include the personal details of the data subject, such as name, surname, position of the individual in the image, as well as activity details, location, date, and time appearing in the image.
In cases where the Company records your photographs for marketing purposes, the Company will request your permission when selecting such photographs for disclosure or publication, as well as request permission to include your name and surname alongside your image for publicity purposes, under the objectives specified in the consent documents provided to and acknowledged by you.
2. Purposes and Legal Bases for Processing Data
The Company may rely on or refer to (1) the consent basis for processing your data, (2) the contractual basis for initiating a contract, entering into a contract, or performing a contract with you, (3) the legal obligation basis of the Company, (4) the legitimate interest basis of the Company and third parties, (5) the vital interest basis for preventing or suppressing danger to a person’s life, body, or health, and/or (6) the public interest basis for carrying out missions for the public interest or performing duties in the exercise of state authority, or other legal bases as prescribed by the Personal Data Protection law, as the case may be. Under this Notice, the Company will process your personal data in accordance with the following purposes and legal bases:
No.
Purpose
Legal Basis
1
Photography or videography that is not specifically focused on individuals, and photography of event atmospheres (group photos), exhibitions, learning environments, trainings, and meetings, for the purpose of communication and publication regarding the Company’s activities through various media channels such as the website, Facebook, Instagram, other online platforms, as well as the Company’s communication channels.
Legitimate interest
2
Processing under the license agreement to use photography or videography, name-surname, and works, with compensation provided
Performance of a contract
3
Photography or videography that is specifically focused or individualized, or the use of name-surname and works together with photographs and videos, for business purposes in line with the Company’s objectives, such as advertising, public relations, and sales promotion, through various channels such as the website, Facebook, Instagram, other online platforms, as well as other public venues.
Consent
4
Photography or videography in cases where photographs are recorded as significant due to being a prize winner or being selected to receive any award in activities, for the purpose of contacting for prize delivery, participation in activities, exhibitions, trade shows, and training or seminars, both online and offline, or any other activities where the Company sets conditions of participation prior to joining. The purpose is for communication and publication, to announce and inform others about the Company’s activities through various media channels as deemed appropriate by the Company.
Performance of a contract / Legitimate interest
5
Photography or videography for use as evidence in identity verification and for internal verification within the Company.
Legitimate interest
3. Disclosure of Personal Data
3.1 Affiliated companies and other related companies as listed on the website www.bslclinic.com with which joint agreements exist. This shall include managing directors, executives, employees, and/or internal personnel of such companies, insofar as relevant and necessary for the processing of your personal data.
3.2 Service providers and personal data processors assigned or engaged by the Company to manage or process personal data on behalf of the Company in providing services, including those acting in the name of or in collaboration with the Company to carry out related purposes as specified in this Notice, and who necessarily require access to your personal data, such as information technology service providers, co-brand partners, product designers, sponsors, photographers, contractors engaged by the Company to organize events and activities, or any other services that may benefit you or relate to the Company’s business, where it is reasonably necessary to disclose your personal data in order to achieve the Company’s business objectives.
3.3 Government agencies with authority to request personal data, such as the Royal Thai Police, Office of the Attorney General, courts, or authorized government officials such as investigators, prosecutors, etc.
The Company shall require the recipients of the data to implement appropriate measures to protect your data and to process such personal data only to the extent necessary, and shall act to prevent unauthorized use or disclosure of personal data. The Company shall act only under the purposes specified in this Notice or other purposes permitted by law. In cases where the law requires your consent, the Company will obtain your consent before proceeding.
4. Cross-Border Transfer of Personal Data
The Company may store your data on computer servers or cloud services provided by third parties and may use third-party programs or applications in the form of software-as-a-service or platform-as-a-service for processing your personal data. However, the Company will not allow unrelated persons to access personal data and will require such third parties to have appropriate security protection measures in place.
In the event that the Company transfers or sends your personal data abroad, the Company will take steps to ensure that the destination country, international organization, or foreign data recipient has an adequate standard of personal data protection, or to ensure that the transfer or transmission of your personal data abroad complies with the criteria prescribed under the Personal Data Protection law. In some cases, the Company may seek your consent for the transfer or transmission of your personal data to such foreign countries.
5. Retention Period of Personal Data
5.1 The Company will retain personal data only as necessary for the purposes of processing as specified in this Notice, divided as follows:
5.1.1 In cases where the Company processes your personal data based on your consent, the Company will process such personal data until you notify the Company of your withdrawal of consent.
5.1.2 In cases where you provide information to the Company as a contracting party, the Company will retain your data as long as necessary to provide services to you for the duration of the contract, and will retain it for an additional five (5) years from the year the relationship or contract ends.
5.1.3 In cases where you provide information to the Company as an event registrant, training participant, or seminar participant, the Company will retain your data as long as necessary to provide services to you, and will retain it for an additional five (5) years from the year the relationship ends.
5.1.4 In cases where rights requests are made as specified in this Notice, the Company will retain evidence of the exercise of such rights under the Personal Data Protection law for five (5) years from the year the Company completes consideration of your request.
5.1.5 In other cases, the Company will retain your personal data as long as reasonably necessary to fulfill the Company’s obligations and achieve the purposes specified in this Notice. Where the retention period cannot be clearly determined, the Company will retain the data for a period that may be reasonably expected under standard practices (e.g., the maximum statute of limitations under general law, which is ten years). In the event of legal proceedings, your personal data may be retained until the completion of such proceedings, including any period necessary to achieve the intended purposes. Thereafter, your data will be deleted or retained only as permitted by law.
5.2 Upon the expiration of the retention period, the Company will delete, destroy, render the personal data non-identifiable, or take any other actions as prescribed by the Personal Data Protection law to ensure effective protection of personal data. However, the Company will retain certain data for longer than the period specified above if required to comply with laws, orders of competent officers or government authorities, and for business purposes or legitimate grounds.
6. Rights of Data Subjects
The Company respects your privacy rights and allows you to choose the methods of control or the means by which the Company contacts you. The Company will comply with your requests in order to promote transparency, and to ensure the quality and accuracy of data. You have rights under the Personal Data Protection law, which you can exercise by submitting a written request to the Company through the channels specified by the Company, as follows:
6.1 Right to Withdraw Consent: If the “Patient” has given consent for the processing of personal data (whether the consent was given before or after the Personal Data Protection law came into force), the “Patient” has the right to withdraw such consent at any time while the personal data of the “Patient” is with the Company. The withdrawal of consent does not affect the lawful processing of personal data to which the “Patient” has already consented, unless such right is restricted by law, by nature cannot be withdrawn, or where there is a contract between the “Patient” and the Company that provides benefits to the “Patient,” or the withdrawal may result in the Company being unable to achieve certain or all purposes specified in this document.
Furthermore, the withdrawal of consent by the “Patient” may affect the “Patient” in using various services, such as the “Patient” not receiving benefits, promotions, or new offers, not receiving services tailored to the “Patient’s” needs, or not receiving useful information and updates. For the benefit of the “Patient,” it is therefore recommended to study and inquire about the potential impacts before exercising the right to withdraw consent.
6.2 Right of Access to Personal Data: The “Patient” has the right to request access to the personal data of the “Patient” under the responsibility of the Company and request that the Company provide a copy of such data to the “Patient,” including the right to request that the Company disclose how the Company obtained the personal data of the “Patient.” This excludes cases where the Company has the right to refuse the request of the “Patient” under the law, a court order, or where the request of the “Patient” may have consequences that could cause damage to the rights and freedoms of other persons.
6.3 Right to Data Portability: The “Patient” has the right to request the transfer of the “Patient’s” personal data in cases where the Company has prepared such personal data in a format that can be read or used with tools or devices that work automatically, and that can be used or shared by automated means. The “Patient” also has the right to request that the Company send or transfer such personal data in that format to another personal data controller where this can be done by automated means, and the right to request that the Company directly send or transfer the personal data in that format to another personal data controller, unless it cannot be carried out due to technical reasons.
6.4 Right to Object: The “Patient” has the right to object to the processing of the “Patient’s” personal data at any time if the processing of the “Patient’s” personal data is conducted for operations necessary under the legitimate interests of the Company or of another individual or legal entity, provided that it does not exceed the reasonable expectations of the “Patient,” or for carrying out tasks in the public interest, or for marketing purposes, or for scientific or statistical research purposes.
If the “Patient” raises an objection, the Company will continue to process the “Patient’s” personal data only if the Company can demonstrate legal grounds that are more compelling than the fundamental rights of the “Patient,” or if it is for the establishment of legal claims, compliance with the law, or the defense of legal claims, as the case may be.
6.5 Right to Request Erasure or Destruction of Data: The “Patient” has the right to request the erasure or destruction of the “Patient’s” personal data, or to make such personal data non-identifiable, if the “Patient” believes that the personal data has been processed unlawfully under the applicable law, or considers that the Company no longer needs to retain the data for the purposes specified in this Notice, or when the Company is able to comply with the “Patient’s” exercise of the right to withdraw consent or the right to object as mentioned above.
6.6 Right to Restrict Processing: The “Patient” has the right to request the temporary suspension of the use of personal data in cases where the Company is verifying the “Patient’s” request to rectify personal data or the objection of the “Patient,” or in other cases where the Company no longer needs to retain and must erase or destroy the “Patient’s” personal data under the applicable law, but the “Patient” requests the Company to restrict the processing instead.
6.7 Right to Rectification: If the “Patient” considers that the “Patient’s” personal data is inaccurate, the “Patient” can notify the Company to correct or amend the personal data to be accurate, or to add information to make it current, complete, and not misleading.
In the case that the “Patient” wishes to request rectification of image-related data, the Company will rectify only the information related to the “Patient’s” image as necessary and lawful for the Company. If the execution of such a request incurs costs, the Company may charge such costs. In cases where the Company has grounds to reject the “Patient’s” request, the Company will record the refusal along with the reasons as evidence.
6.8 Right to Lodge a Complaint: The “Patient” has the right to lodge a complaint with the Company through the Company’s website, by selecting the Data Processing Complaint Form on the Company’s website, if the “Patient” believes that the processing of personal data is conducted in a manner that violates or fails to comply with the applicable law.
7. How the “Patient” Can Exercise Rights Under the Personal Data Protection Law
7.1 In cases where the “Patient” wishes to withdraw consent previously given, the “Patient” may do so by going to the settings in the application, or the “Patient” may complete the Consent Withdrawal Request Form through the Company’s website. In cases where the “Patient” wishes to exercise other rights as specified in Clause 12, the “Patient” may complete the Data Subject Rights Request Formthrough the Company’s website. The Company will consider and notify the “Patient” of the result of the request within thirty (30) days from the date the Company receives such request. However, the Company may refuse the exercise of the “Patient’s” rights under the conditions prescribed by law. In cases where the Company cannot proceed with the “Patient’s” request, the Company will record the refusal along with the reasons as evidence.
7.2 The Company will make every effort, within the capabilities of its relevant systems, to facilitate and act upon the “Patient’s” request, except where it is evident that complying with such request would risk violating the rights and freedoms of other users, contravene the law or system security policies, or in cases where it is impracticable to comply with the request due to technical reasons.
7.3 In certain situations, the Company may require the “Patient” to verify their identity before exercising rights for the “Patient’s” own security. At times, limitations on some of the “Patient’s” rights requests may arise, or costs may be incurred. The Company will explain to the “Patient” if it cannot comply with the rights request, or notify the “Patient” if it is necessary to charge fees related to the processing of the “Patient’s” request.
7.4 How the Company Protects the “Patient’s” Personal Data The Company has implemented appropriate personal data security measures to prevent loss, unauthorized access, use, alteration, modification, or sharing of personal data, whether without authority or unlawfully. These measures are consistent with the Company’s Information Security Policy and Practices, and its Personal Data Protection Policy (Privacy Policy).
7.5 How the “Patient” Can Make Further Inquiries The Company has appointed a Data Protection Officer (DPO) at BSL Clinic Co., Ltd. to coordinate personal data protection matters of the Company. In cases where the “Patient” believes that the processing of personal data does not comply with the Personal Data Protection Act B.E. 2562 (2019), or if the “Patient” has suggestions, questions, or wishes to inquire further about details of the collection, use, and/or disclosure of personal data, including exercising rights under this Notice, the “Patient” may contact or file a complaint through the following channels:
For matters relating to personal data: Please contact the Data Protection Officer (DPO):
Address: 30/8 Sala Daeng Road, Silom Subdistrict, Bang Rak District, Bangkok 10500
Telephone: 099-343-8666
Business hours: Daily, 10:00 a.m. – 8:00 p.m.
8. Amendments
The Company reserves the right to amend, review, and update this Privacy Notice, which shall take effect on the date and time it is published, without prior notice to you. This is to ensure appropriateness and efficiency in providing services. Therefore, the Company recommends that you read this Privacy Notice each time you visit or use the services of the Company or the Company’s website.
