Terms & Conditions

Personal Data Protection Policy for Patients Receiving Medical Examination and Treatment Services

La Grace Clinic is committed to protecting your personal data as a patient receiving medical examinations, treatments, and other medical services provided by the clinic. Your personal data will be protected in accordance with the Personal Data Protection Act B.E. 2562 (2019). As the data controller, the clinic has a legal duty to inform you through this document of the reasons for and methods by which we collect, use, or disclose your personal data, as well as your rights as a data subject.

Definitions

“Personal Data” means any information relating to an individual that enables the identification of that individual, whether directly or indirectly, but does not include information of deceased persons specifically.

“Sensitive Personal Data” means personal data that includes information such as race, ethnicity, political opinions, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, labor union data, genetic data, biometric data (e.g., facial recognition data, iris scan data, fingerprint data), or any other data as specified by the Personal Data Protection Committee that may similarly affect the data subject.

“Medical Treatment Data” refers to the following information:
∙ The date (day, month, year) of receiving treatment
∙ History of drug allergies and adverse drug reactions
∙ History of food allergies
∙ Diagnosed medical conditions, names of procedures, and names of surgeries
∙ Blood test results and laboratory test results
∙ Prescribed medications
∙ Other relevant information, such as symptoms, doctors’ recommendations, and diagnostic details

“Processing” refers to the collection, use, or disclosure of personal data.

“Personal Data Controller” refers to a person or legal entity with the authority to make decisions regarding the collection, use, or disclosure of personal data.

“Personal Data Processor” refers to a person or legal entity that collects, uses, or discloses personal data on the instructions or behalf of the personal data controller. Such a person or entity is not considered a personal data controller.

“Network Healthcare Facilities” refers to clinics and healthcare branches that are part of or affiliated with La Graz Clinic, which includes a total of nine branches as follows:
∙ La Grace Clinic, CentralWorld Branch
∙ La Grace Clinic, Central Rama 2 Branch
∙ La Grace Clinic, Central Chaengwattana Branch
∙ La Grace Clinic, Central Pinklao Branch
∙ La Grace Clinic, The Promenade

La Grace Clinic Silom Complex
La Grace Clinic Central Bangna

Purposes of Data Processing

We will process your personal data for the following purposes:

	Purpose Type of Data Legal Basis for Processing	Type of Data	Legal Basis for Processing
1	For medical treatment purposes and providing healthcare services within the healthcare facility The medical team, including doctors, nurses, and/or other healthcare staff, will record your personal information and may use it to consult with the medical team, take still and moving pictures for treatment tracking, and/or perform any necessary actions according to medical practices during the time you receive services. The clinic will explain the details of this information to you before proceeding and will allow you to ask questions until you are satisfied. In cases where it is necessary to share data between affiliated healthcare institutions for the purpose of medical service delivery, the clinic may share your personal information with these institutions when needed. The clinic has measures in place to protect your personal data, with agreements in place between affiliated institutions to prevent unlawful processing of your data or processing without authorization. For patient referral between healthcare institutions If the clinic receives a request or makes a request to transfer a patient to another healthcare facility for continued treatment, your personal data will only be used for the referral purpose and not for any other purposes.	– Personal identification data Contact information Health data Financial data	1. Necessary to perform the contract for medical treatment between you and the clinic (Section 24 (3)2. For sensitive personal data: Processing in compliance with the law for diagnosing and treating medical conditions, such as the Hospital Act B.E. 2541 and the Medical Profession Act B.E. 2525 (Section 26 (5) (ก)3. For sensitive personal data: To prevent or mitigate harm to life, body, or health when the data subject cannot consent, such as in emergency cases or for patient referral between hospitals (Section 26 (1)
2	For the purpose of statistical analysis to improve healthcare quality The clinic may use your personal data in a manner that does not identify you personally for the purpose of analyzing and improving healthcare quality. Reports will be made in aggregate form, with strict confidentiality maintained.	Statistical data	To achieve the legitimate interest of the clinic in analyzing statistical data to improve healthcare and service efficiency (Section 24 (5))
3	Disclosure of data to insurance companies with whom you or the clinic have contracts The clinic may disclose your personal data to insurance companies to process claims or to reimburse medical expenses. This will only be done for the purpose of fulfilling the contracts made between you or the clinic and the insurance company. The clinic will not disclose your personal information to any unrelated third parties.	Personal identification data Contact information Health data	With explicit consent from you to disclose personal health data to insurance companies for the purpose of claiming compensation or reimbursing medical expenses (Section 26)
4	Disclosure of information to the entity that referred you for treatment or the payer If a government, private, or state enterprise agency refers you for treatment or is responsible for your payment, the clinic will disclose the relevant personal health information to these parties only if you have explicitly consented to the disclosure. If you do not consent, the clinic will send the treatment results directly to you	Personal identification data Contact information Health data	With explicit consent from you to disclose personal data (Section 26)
5	For linking electronic medical records between healthcare facilities via mobile applications If you consent, the clinic will upload your personal information into a mobile application system to facilitate consultations and allow you to manage your data. The system will link medical records between affiliated healthcare institutions so you can access your personal data across different devices. The clinic has an agreement with affiliated institutions to ensure your data is protected according to the Personal Data Protection Act B.E. 2562.	Personal identification data Contact information Health data	With explicit consent from you to disclose personal data (Section 26)

In addition to the purposes specified above, the clinic will not use your personal data for any other purpose, except in cases where the Personal Data Protection Act B.E. 2562 permits, such as:

When explicit consent is obtained from you (Section 24)
When explicit consent is obtained from you for the processing of sensitive personal data (Section 26)
For research or statistical purposes, with appropriate measures in place to protect the personal data, rights, and freedoms of the data subject (Section 24 (1))
To prevent or mitigate harm to life, body, or health (Section 24 (2))
For the performance of the contract between the clinic and you (Section 24 (3))
To fulfill the clinic’s duties in pursuit of public interest (Section 24 (4))
For the legitimate interest of the clinic or another individual or entity, unless this interest is overridden by the fundamental rights of the data subject (Section 24 (5))
For compliance with the law by the clinic (Section 24 (6))
To prevent or mitigate harm to life, body, or health in cases where sensitive personal data is used, and the data subject cannot provide consent (Section 26 (1))
For the establishment of legal claims (Section 26 (4))
For public health purposes or other social protection purposes by the clinic, with measures in place to protect the fundamental rights and interests of the data subject (Section 26 (5) (a))
For compliance with labor protection laws, provision of healthcare benefits, or social security insurance (Section 26 (5) (ค))

Personal Data Collected by the Clinic

The personal data collected by the clinic from you can be classified into the following categories:

Personal Identification Data: such as name, surname, ID card number, facial photograph, gender, date of birth, passport, or other identifying numbers.
Contact Data: such as address, phone number, email.
Financial Data: such as billing information, credit or debit card information, receipt data, price list information.
Marketing Data: such as information used for registering to receive news and participating in marketing activities.
Statistical Data: such as anonymized data, number of patients, and website traffic data.
Technical Data: such as IP address of the computer, browser type, cookies data, time zone settings, operating system, platform, and technology of the device used to access the website, and online appointment system.
Health Data: such as medical treatment data, reports related to physical and mental health, healthcare services received, laboratory test results, diagnosis, diagnosed conditions, data related to medication and drug allergies, food allergies history, blood test results, laboratory test results, pathology biopsy results, radiology images, and radiology examination reports, prescribed medications, and data necessary for providing medical services, feedback data, and treatment outcomes.

Sources of Personal Data

The clinic collects your personal data from the following sources:

Personal Data Collected Directly from You:
1. In the case that you are a patient receiving medical treatment: The clinic collects your personal data when you contact the clinic to inquire about services or when you register for medical services and other services provided by the clinic, either in person at the clinic or through electronic media.
2. In the case that you are a vendor of the clinic: The clinic collects your personal data when you contact the clinic to offer services or when the clinic collects your personal data in your capacity as a vendor under a contract with the clinic.
Personal Data Collected Indirectly:
1. Persons close to you, such as relatives, spouses, etc.
2. Persons whom you have authorized to act on your behalf in communication with the hospital or a network of affiliated healthcare providers, in the case where you have consented to the healthcare provider in the network sharing your personal data.
3. Individuals, legal entities, or organizations, whether from the public, private, or state-owned sectors, who refer you for treatment or services at the clinic, or who pay for the services on your behalf.

Disclosure or Sharing of Personal Data

The clinic will not disclose your personal data to external parties, except in cases where the law permits, for the necessity of operations. This may include the following situations where the clinic may disclose personal data:

Disclosing personal data to government agencies, authorized entities, or individuals when required by law or under court orders.
Disclosing personal data to individuals or legal entities with whom the clinic needs to comply with a contract or for your benefit as the data subject. The clinic requires that these individuals or legal entities maintain confidentiality and protect your personal data according to the standards set forth by the Personal Data Protection Act B.E. 2562 (2019). This includes, but is not limited to, the following individuals or legal entities:
- Healthcare providers within the network or branches of La Grace Clinic Medical Services, as necessary for providing medical treatment and services to you. The clinic will disclose only the essential information and will keep your personal data confidential as required by applicable laws such as the Medical Facility Act B.E. 2541, the National Health Act B.E. 2550, and the Medical Profession Act B.E. 2525.
- Insurance companies or third-party service providers responsible for claims management.
- Healthcare facilities that receive patient referrals.
- The entity that referred you for medical treatment or services or paid the service fees on your behalf.
- Personal data processors necessary for the clinic’s operations, such as contractors or service providers for laboratory tests, data management, telecommunications, computer systems, payment services, or technology outsourcing services.
The clinic may store personal data in a cloud computing system using third-party services, whether located in Thailand or abroad. The clinic has entered into contracts with these parties with caution and considers the security systems provided by the cloud computing service providers for the protection of personal data.

Retention Period of Personal Data

The clinic will retain your personal data, particularly your medical records, in its system for a period of at least five (5) years from the date the clinic creates or updates the documents containing such information. This period is deemed necessary for the treatment and post-treatment follow-up of your medical condition. However, the data may be retained for a longer period if the clinic is legally permitted to continue processing the data or for the purpose of your medical care or upon your request. In any case, data will not be retained for more than ten (10) years.

After the expiration of the period specified in point 1, the clinic will destroy the personal data in accordance with its data destruction procedures.

In cases where the clinic is required to comply with legal obligations, court orders, or to establish legal claims for dispute resolution, the clinic may retain the personal data for the duration of the statute of limitations under the applicable law, or until the dispute is conclusively resolved, as the case may be.

Measures for Storing and Processing Personal Data

The clinic will implement data protection measures not less than the level required by law and will employ appropriate systems to prevent and safeguard the security of personal data. These include, for example:

Use of security protocols such as Secure Sockets Layer (SSL)
Firewall protection
Password protection
Other technical measures such as data encryption for internet transmission
Storage in restricted-access areas, with limitations on who can access the data

These measures are intended to ensure the confidentiality, integrity, and availability of personal data throughout the processing period.

Cross-Border Transfer of Personal Data

In certain cases, the clinic may need to transfer your personal data to another country. The clinic will proceed with such transfers only after informing you of the purpose of the transfer and obtaining your consent, particularly when the destination country may have inadequate personal data protection standards. You will be notified accordingly.

However, the clinic may transfer your personal data abroad without your consent if:

It is necessary for the performance of a contract to which you are a party,
It is required to carry out pre-contractual procedures upon your request,
Or it complies with provisions under the Personal Data Protection Act B.E. 2562 (2019).

Cookie Policy

When you visit the clinic’s website, cookies are used to ensure that you receive the best possible experience. Cookies are small text files that store information and are saved on your computer or communication device through the web browser you use when visiting the website.

The clinic uses cookies to recognize your unique browsing behavior. This recognition allows the clinic to better understand how you interact with the website and helps enhance the website to better match your preferences, ensuring a more convenient and efficient browsing experience.

(You may read the full Cookie Policy on the clinic’s website.)

Rights of the Data Subject

As the owner of personal data, you have the right to request the clinic to take certain actions regarding your personal data, within the scope permitted by law, as follows:

Right to Withdraw Consent:
You have the right to withdraw your consent to the processing of your personal data at any time while your data is still held by the clinic.
Right of Access:
You have the right to access your personal data and request a copy of such data. You may also request the clinic to disclose how your personal data was obtained if you did not give consent directly to the clinic.
Right to Rectification:
You have the right to request that the clinic correct any inaccurate information or complete any incomplete data.
Right to Erasure:
You have the right to request the clinic to delete your personal data for certain reasons.
Right to Restriction of Processing:
You have the right to request the clinic to restrict the use of your personal data under certain circumstances.
Right to Data Portability:
You have the right to receive your personal data provided to the clinic in a structured, commonly used, and machine-readable format, and to transmit that data to another data controller or to yourself under certain circumstances.
Right to Object:
You have the right to object to the processing of your personal data under certain circumstances.

Contacting the Data Protection Officer (DPO)

You may contact our Data Protection Officer (DPO) to submit a request to exercise your rights as stated above at:

La Grace Clinic
CentralPlaza Chaengwattana Office Tower, 10th Floor, Room No. 1003
No. 99/9, Moo 2, Chaengwattana Road, Bang Talad Sub-district,
Pak Kret District, Nonthaburi Province 11120
Phone: 087-494-9000, 087-494-4000
Email: pdpa.lagraceclinic@gmail.com

Changes to the Privacy Policy

The Clinic may review and update this Privacy Policy in the future to ensure enhanced protection of your personal data. The Clinic will notify you of any such changes through appropriate communication channels.

Contact Information

If you have any questions or wish to exercise any rights related to your personal data, you may contact the Data Controller at: