Privacy Notice
B-First Medical Ltd.

This privacy notice (the “Privacy Notice”) is provided in order that you as the Company’s customers, i.e. patients, emergency or unconscious patients, persons interested in receiving medical service, the Company’s personnel, job applicants, business partner, and marketing activity participants, or any persons involving the aforesaid persons (collectively referred to as “You”), have the knowledge of the procedure, which B-First Medical Ltd. as the operator of PrimoCare Medical Polyclinic, and PrimoCare Medical Clinic (the “Company”) follows to collect, use, or disclose your personal data, and your legal rights relevant to personal data under the Personal Data Protection Act B.E. 2562 and relevant statutory requirements.

For your understanding of the procedure that the Company follows to collect, use, or disclose your personal data, and your privacy right, please read this privacy notice thoroughly, and a notice to be amended in the future from time to time to be in compliance with the Company’s guideline and/or statutory requirements.

To do any transaction relevant to the Company, you and/or your parents, guardian or legal representative (in case your age is under 20 years old) confirm and accept the guideline and procedure specified herein.  In addition, you accept that disclosing a third party’s personal data to the Company for the Company’s purposes as set out below is made with his/her consent. 

Enforcement

This Privacy Notice is enforced on (1) the Company’s customers, namely patients, emergency or unconscious patients, persons interested in receiving medical service; (2) the Company’s personnel; (3) job applicants; (4) business partners; (5) bloggers, influencers and marketing activity participants; or (6) any person involving the aforesaid persons, including other persons relevant to the Company, for example, marketing agents, law firms, insurance companies or recruitment agencies.

1. Collected Personal Data

The Company collects the following personal data, namely any information that enables your identification, whether directly or indirectly:

  1. Personal data;
  2. Health data;
  3. Biometric data;
  4. Data of family members
  5. Contact person data in case of emergency and relevant persons
  6. Guarantor data
  7. Educational and membership registration data
  8. Data on work experiences and training records
  9. Data on competency and personal interests
  10. Data on job applications and reference persons
  11. Data on work performance and work performance assessment
  12. Financial and fringe benefit data
  13. Business partner data
  14. Conversation and communication recording
  15. Social media
  16. Technical data
  17. Other data

Further details are contained in the privacy policy (“Collected Personal Data”).

2. Sources of Personal Data

The Company may receive your personal data from the following ways:

  1. Personal data you provided to the Company directly, for example, sending the data to the Company directly through filling in a questionnaire or Google form, and/or any channel whether by telephone, email, PrimoCare Patient application, website www.primocare.com, and/or other social media such as Facebook, Instagram, Line application, including data you provided during your job application, becoming the Companys personnel, and doing any business with the Company, as the case may be, etc;
  2. Personal data you provided to the Company automatically, for example, the Company may  collect personal data by Cookies and/or other similar technologies, etc.;
  3. Personal data received from a third party, for example, a marketing agency, shutterstock provider, recruitment agency, talent acquisition unit which is a work unit of an affiliated company, and accompanying persons (in case that you are an emergency or unconscious patient).

3. Purposes of Collection, Use, Disclosure of Personal Data

The Company shall collect, use, or disclose your personal data for various purposes on legal bases, including (a) for compliance with a contract and the conditions on service rendering between you and the Company; (b) for legitimate interests; (c) for preventing or suppressing a danger to your life, body or heath, or other person’s life, body or health; (d) for compliance with legal obligations; and/or (e) on any other legal bases, as the case may be.
In addition, the Company may request your consent for collection, use or disclosure of your data for specific purposes as set out below:

3.1 Patients and relevant persons (such as relatives)

Purposes

Legal Bases for Data Processing

General personal data

  • First name – last name
  • age
  • Identification card/passport number 
  • Date of birth
  • Birthplace 
  • Weight, height 
  • Marital status 
  • Gender 
  • Military status
  • Nationality 
  • Occupation
  • Address
  • Phone number and
  • Any other contact details
  • The Company’s legitimate interests
  • Complying with a contract between you and the Company
  • Consent
  • The Company’s legal obligations

Sensitive data

  • For identification and verification ofyour right to medical care 
  • For diagnoses
  • For support of diagnoses (such as patients from the United Kingdom or the European Union may develop vaccine-induced immune thrombotic thrombocytopenia) 
  • Necessary for complying with the laws to achieve the purposes of medical diagnoses or medical care 
  • The explicit consent

Purposes

General personal data

  • First name – last name
  • age
  • Identification card/passport number 
  • Date of birth
  • Birthplace 
  • Weight, height 
  • Marital status 
  • Gender 
  • Military status
  • Nationality 
  • Occupation
  • Address
  • Phone number and
  • Any other contact details

Sensitive data

  • For identification and verification ofyour right to medical care 
  • For diagnoses
  • For support of diagnoses (such as patients from the United Kingdom or the European Union may develop vaccine-induced immune thrombotic thrombocytopenia) 

Legal Bases for Data Processing

  • The Company’s legitimate interests
  • Complying with a contract between you and the Company
  • Consent
  • The Company’s legal obligations
  • Necessary for complying with the laws to achieve the purposes of medical diagnoses or medical care 
  • The explicit consent

3.2 Emergency or unconscious patients and relevant persons (such as accompanying persons)

Purposes

Legal Bases for Data Processing

General personal data

  • For identifying patients before providing services 
  • For providing basic medical care
  • For complying with laws and creating any legal rights (if any)
  • Preventing or suppressing a danger to a person’s life, body or health 
  • The Company’s legitimate interests
  • Consent
  • The Company’s legal obligations

Sensitive data

  • For diagnoses
  • For support of diagnoses (such as patients from the United Kingdom or the European Union may develop vaccine-induced immune thrombotic thrombocytopenia)
  • Necessary for complying with the laws to achieve the purposes of medical diagnoses or medical care 
  • The explicit consent

Purposes

General personal data

  • For identifying patients before providing services 
  • For providing basic medical care
  • For complying with laws and creating any legal rights (if any)

Sensitive data

  • For diagnoses
  • For support of diagnoses (such as patients from the United Kingdom or the European Union may develop vaccine-induced immune thrombotic thrombocytopenia)

Legal Bases for Data Processing

  • Preventing or suppressing a danger to a person’s life, body or health 
  • The Company’s legitimate interests
  • Consent
  • The Company’s legal obligations
  • Necessary for complying with the laws to achieve the purposes of medical diagnoses or medical care 
  • The explicit consent

3.3 The Companys personnel and relevant persons (such as guarantor)

Purposes

Legal Bases for Data Processing

General personal data

  • For identification or verification before placement
  • For entering into an employment contract and a surety contract 
  • For communication with the Company’s personnel and relevant persons
  • For issuing payment slips and withholding tax filing 
  • For electronic transactions 
  • For preparing tax documents and invoices
  • For providing welfare and fringe benefits, including a right to medical care 
  • For creating an account to access HIS server 
  • For creating the Company’s email account for external and internal communication
  • For any other purpose related to the employment  
  • For complying with laws and creating any legal rights (if any)
  • The Company’s legitimate interests
  • Complying with a contract between you and the Company
  • Consent
  • The Company’s legal obligations

Sensitive data

  • For entering into a contract
  • For checkup before starting to work
  • For security of individuals and the Company’s property
  • For having access to personal and restricted areas
  • The explicit consent

Purposes

General personal data

  • For identification or verification before placement
  • For entering into an employment contract and a surety contract 
  • For communication with the Company’s personnel and relevant persons
  • For issuing payment slips and withholding tax filing 
  • For electronic transactions 
  • For preparing tax documents and invoices
  • For providing welfare and fringe benefits, including a right to medical care 
  • For creating an account to access HIS server 
  • For creating the Company’s email account for external and internal communication
  • For any other purpose related to the employment  
  • For complying with laws and creating any legal rights (if any)

Sensitive data

  • For entering into a contract
  • For checkup before starting to work
  • For security of individuals and the Company’s property
  • For having access to personal and restricted areas

Legal Bases for Data Processing

  • The Company’s legitimate interests
  • Complying with a contract between you and the Company
  • Consent
  • The Company’s legal obligations
  • The explicit consent

3.4 Applicants and relevant persons (such as reference persons)

Purposes

Legal Bases for Data Processing

General personal data

  • For job applications, selection, interview, and doing any acts relevant to job applications
  • For communication with applicants and relevant persons
  • The Company’s legitimate interests
  • Consent
  • The Company’s legal obligations

Sensitive data

  • For job applications, selection, interview, and doing any acts relevant to job applications
  • The explicit consent

Purposes

General personal data

  • For job applications, selection, interview, and doing any acts relevant to job applications
  • For communication with applicants and relevant persons

Sensitive data

  • For job applications, selection, interview, and doing any acts relevant to job applications

Legal Bases for Data Processing

  • The Company’s legitimate interests
  • Consent
  • The Company’s legal obligations
  • The explicit consent

3.5 Business partners and relevant persons (such as shareholders, directors, or coordinators in case of  a business partner being a juristic person)

Purposes

Legal Bases for Data Processing

General personal data

  • For identification or verification before entering into a contract with the Company
  • For entering into a contract 
  • For business communication and coordination 
  • For issuing payment slips and withholding tax filing
  • For electronic transactions
  • For preparing tax documents and invoices
  • For complying with laws and creating any legal rights (if any)
  • The Company’s legitimate interests
  • Compliance with a contract between you and the Company
  • Consent
  • The Company’s legal obligations

Sensitive data

  • For entering into a contract
  • The explicit consent

Purposes

General personal data

  • For identification or verification before entering into a contract with the Company
  • For entering into a contract 
  • For business communication and coordination 
  • For issuing payment slips and withholding tax filing
  • For electronic transactions
  • For preparing tax documents and invoices
  • For complying with laws and creating any legal rights (if any)

Sensitive data

  • For entering into a contract

Legal Bases for Data Processing

  • The Company’s legitimate interests
  • Compliance with a contract between you and the Company
  • Consent
  • The Company’s legal obligations
  • The explicit consent

3.6 Persons interested in receiving medical service

Purposes

Legal Bases for Data Processing

General personal data

  • For marketing purposes
  • For offering marketing activities that may be of interest and beneficial to you
  • For making an appointment with the Company’s medical personnel, and/or the Company’s business alliances
  • For giving you useful platform information
  • The Company’s legitimate interests
  • Compliance with a contract between you and the Company
  • Consent
  • The Company’s legal obligations

Sensitive data

  • For diagnoses
  • The explicit consent

Purposes

General personal data

  • For marketing purposes
  • For offering marketing activities that may be of interest and beneficial to you
  • For making an appointment with the Company’s medical personnel, and/or the Company’s business alliances
  • For giving you useful platform information

Sensitive data

  • For diagnoses

Legal Bases for Data Processing

  • The Company’s legitimate interests
  • Compliance with a contract between you and the Company
  • Consent
  • The Company’s legal obligations
  • The explicit consent

3.7 Bloggers, influencers, and marketing activity participants

Purposes

Legal Bases for Data Processing

General personal data

  • For online advertisement and marketing activities
  • For research, development and improvement of the Company’s services
  • For identification or verification before entering into an advertisement contract with the Company
  • For entering into a contract 
  • For issuing payment slips and withholding tax filing 
  • For electronic transactions  
  • For preparing tax documents and invoices
  • For complying with laws and creating any legal rights (if any)
  • The Company’s legitimate interests
  • Compliance with a contract between you and the Company
  • Consent
  • The Company’s legal obligations

Sensitive data

  • For online advertisement and marketing activities
  • For research, development and improvement of the Company’s services
  • For entering into a contract
  • The explicit consent

Purposes

General personal data

  • For online advertisement and marketing activities
  • For research, development and improvement of the Company’s services
  • For identification or verification before entering into an advertisement contract with the Company
  • For entering into a contract 
  • For issuing payment slips and withholding tax filing 
  • For electronic transactions  
  • For preparing tax documents and invoices
  • For complying with laws and creating any legal rights (if any)

Sensitive data

  • For online advertisement and marketing activities
  • For research, development and improvement of the Company’s services
  • For entering into a contract

Legal Bases for Data Processing

  • The Company’s legitimate interests
  • Compliance with a contract between you and the Company
  • Consent
  • The Company’s legal obligations
  • The explicit consent

4. Disclosure of Personal Data

To provide you with services and to serve aforesaid purposes, the Company may be required to disclose your personal data to the following third parties

  1. Affiliated companies or a corporate group including their executives, directors, employees and/or personnel relevant to and necessary for your data processing; 
  2. The Company’s business alliances and business partners such as business alliances participating in a joint accumulation and privilege program, laboratories, life insurance companies, and other companies relevant to clinics’ services;
  3.  State agencies such as Anti Money Laundering Office, Office of the National Anti-Corruption Commission, Office of The Narcotics Control Board, Social Security Office, The Revenue Department, Legal Execution Department, Courts; 
  4. Service providers, agents and data processors assigned or engaged by the Company to manage/process personal data, for example, Cloud providers, information technology providers;
  5. Banks, credit card companies, payment service providers, provident fund management companies;
  6. Destination hospitals in case of patient transfers for medical treatment;
  7. The Company’s advisors, for example, legal counsels and auditors.

In addition, the Company may request your further consent from time to time so that the Company can disclose some types of your personal data (such as user accounts on social media, and opinions on the Company’s platform) on the Company’s social media for platform publicity.  You however have the right not to give your consent.

5. Sending or Transferring Personal Data to a Foreign Country

The Company uses Cloud services from overseas provider, i.e. Google Cloud Platform (GCP) to provide you with services.  The Company is therefore required to send or transfer your personal data to the service provider’s country for retention and processing that is one part of the Company’s ordinary course of business.  The Company is also required to send or transfer your personal data to destination hospitals, laboratories, and medical device manufacturers in a foreign country (such as the Federal Republic of Germany), including overseas data processors assigned or engaged by the Company to analyze personal data for the Company (such as Google Analytics, Google Ad, and Facebook Ads).  The Company shall make the best effort to send or transfer personal data to reliable destination countries having security measures equivalent to the ones prescribed by the national laws.

6. Retention of Personal Data

The company takes appropriate security measures for both organizational measures and technical measures to retain your personal data, for instance, entering a code to prevent access to the Company’s data storage system, storing data in locked file cabinets to prevent unauthorized access, using a digital locking system to limit the persons entitled to access data, storing data on Google Cloud and Inet to prevent the loss of data, and using Firewall. Furthermore, the Company’s personnel and service providers have the duty to keep the data subject’s personal data confidential, and strictly comply with a security standard and a security policy when using, sending, transferring or processing your personal data.

In the case that the Company or you set a password for the use of the Company’s platform, you shall be responsible for keeping it confidential to prevent other persons from having unlawful access to your personal data.

7. Retention Period for Personal Data

The Company shall retain your personal data as necessary and according to the retention period set out by the specific laws.  Provided no specific retention period set out by law, the Company shall set a retention period as necessary for its operation as follows:

  1. Patients and relevant persons (such as relatives) throughout a period of time you have been served the Companys medical servicesIn the case that you no longer have contact with the Company, the Company shall retain your personal data for a least 5 years from the last day you have been served a medical care;
  2. Emergency or unconscious patients and relevant persons (such as accompanying persons) throughout a period of time you have been served the Companys medical services.                   In the case that you no longer have contact with the Company, the Company shall retain your personal data for a least  5 years from the last day you have been served a medical care;
  3. The Companys personnel and relevant persons (such as guarantor) throughout a period of time you have been the Companys personnel;
  4. Job applicants and relevant persons (such as reference persons) throughout a period of time you have been in the process of recruitment, selection, interview and doing any activities relevant to a job application. The Company shall retain your personal data for at least 2 years from the deadline for application;
  5. Business partners and relevant persons throughout a period of time you have been the Companys business partnersThe Company shall retain your personal data as long as necessary for serving the purposes of data processing from a termination date;
  6. Persons interested in receiving medical service throughout a period of time you have been using the Companys platform and/or at least 5 years from a date you stop using it completely;
  7. Bloggers, influencers, and marketing activity participants Data shall be retained as long as necessary for serving the purposes of data processing.

The Company shall erase, destroy, or anonymize the aforesaid data to become the anonymous data at the end of such retention period.

8. Your Rights

You can exercise your rights to your personal data under this Policy Notice by contacting the Company by the means specified in article 13If you are under the age of 20 or you have a limited capacity under the law, you can exercise your right by your parents, guardian, or legal representativeThe Company shall make the best effort to take action or give an explanation within 30 (thirty) days or within an appropriate timeYou are entitled to the following rights:

  1. Request access to and obtain a copy of personal dataYou are entitled to request access to and obtain a copy of your personal data collected by the Company, or to request the disclosure of a source of your personal data acquired without your consent;
  2. Request the correction of personal dataYou are entitled to request the correction of your personal data to be accurate, up to date, and not misleading;
  3. Request the erasure or destruction of personal dataYou are entitled to request the erasure or destruction of your personal data, or data anonymization;
  4.  Request a restriction on the use of personal data: You are entitled to request a restriction on the use of personal data in case that the Company is pending examination process in accordance with your request/objection, or in case that you request the Company to restrict the use of personal data instead of erasure or destruction of unnecessary personal data;
  5.  Object to your personal data processingYou are entitled to object to your personal data   processing as prescribed by the personal data protection law;
  6. Transfer personal data:  You are entitled to obtain your personal data, and to request the Company to send or transfer your personal data to a third party in order to facilitate the exercise of your rights, unless it is impossible to do so because of the technical circumstances. The exercises of rights shall be subject to the provisions prescribed by law;
  7. Withdrawal of consentIn the event that you have given consent to the Company to collect, use, and/or disclose personal data, you are entitled to withdraw the consent at any time via the Companys contact channels, unless there is a restriction of the withdrawal of consent by law, or there is a contract giving you benefits.
    Such withdrawal of consent shall not affect the collection, use, or disclosure of personal data that have been processed by the Company on the basis of consentIn some cases, the withdrawal of consent may affect you, for instance, inconvenient for providing you with welfare benefits, inconvenient for business coordination, notifications of benefits, promotion, news or new offers, not being served with better products or services and not being served with products or services that meet your needs, etc.
  8. File a complaint:  You are entitled to file a complaint with a person in authority (such as a personal data protection committee/office) in the event that you believe that the Company breaches the personal data protection law.

The exercise of your rights may be restricted or rejected with some reasons, for instance,  the exercise of your rights may be in violation of the law/order of a competent agency, for public interest purpose, or may affect freedom of a person, etcThe Company shall inform you of a reason for rejection.

9. Cookie Policy

The Company collects personal data by using cookie and other similar technologies when you use the Company’s platform for the following purposes: (1) analyse and process your use of the platform; (2) broaden your experience and increase your satisfaction; (3) advertisements and public relations for the Company’s products and services; and (4) adjust marketing campaigns to meet your needs. You can set or delete cookie personally by setting an application on your mobile phone or web browser, which enables you to decline the use of cookie wholly or partially. However, you may not be able to access some part of the Company’s platform.
You are advised that a third party (such as an advertising network and a data processor analysing website visits, etc.) may use such cookie also, which is outside the Company’s control. Using cookie usually more relates the Company’s platform and advertisements thereon to your interests, which enable the development of the Company’s platform.

10. Marketing Media

When obtaining explicit consent from you verbally or via the platform, the Company may provide you with information for a marketing purpose, and for sales promotion and marketing activities of the Company and/or its business alliances that may interest and be beneficial to you (the Marketing Media”) via notification on the platform, telephone, and/or emailYou can cancel receipt of such marketing media at all times via the platform, the Companys contact channels, and/or when the Company have contact with you.

The Company advises you that in the event that you choose not to receive such information, the Company shall be able to continue sending the information irrelevant to sales promotions or information about the use of platform for your benefits.

11. Amendment