Sangsakao Clinic

• 2.1 This Policy applies to directors, executives, employees, and staff at all levels of the Clinic, including business partners, service providers, and stakeholders of the Clinic.
• 2.2 This Policy applies to all operational activities of the Clinic involving personal data, such as personal data collection channels, types and formats of collected data, the Clinic's purposes for collecting or using personal data, sharing personal data with others, and measures taken by the Clinic to protect personal data, etc.

Clinic:

Sangsakao Clinic, including the website https://www.laserbankclinic.com/about-us

Personal Data:

Information about an individual that enables the identification of that person, whether directly or indirectly, but excluding information of a deceased person in particular.

Sensitive Personal Data:

Personal data as stipulated in Section 26 of the Personal Data Protection Act B.E. 2562 (2019), such as racial, ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union information, genetic data, biometric data, or any other data which affects the data subject in the same manner, as prescribed by the Personal Data Protection Committee.

Data Subject:

A natural person who can be identified from personal data, such as Clinic personnel, job applicants, family members/references/emergency contacts related to Clinic personnel or job applicants, customers, service users, business partners, visitors to the Clinic's website, persons exercising parental power authorized to act on behalf of minors, curators authorized to act on behalf of incompetent persons, guardians authorized to act on behalf of quasi-incompetent persons, etc.

Data Controller:

A person or juristic person having the power and duty to make decisions regarding the collection, use, or disclosure of personal data.

Data Processor:

A person or juristic person who operates in relation to the collection, use, or disclosure of personal data pursuant to the orders given by or on behalf of a Data Controller.

Personal Data Processing:

Any operation performed on personal data, such as collection, recording, copying, organizing, keeping, updating, changing, using, retrieving, disclosing, forwarding, disseminating, transferring, combining, deleting, destroying, etc.

Personal Data Protection Laws:

The Personal Data Protection Act B.E. 2562 (2019) and related subordinate laws, and shall include any future amendments.

Anonymization:

A process that reduces the risk of identification of the data subject to a very low level until risk management is almost unnecessary (Negligible Risk).

The Clinic may collect and use personal data of the data subject as follows:

The Clinic will verify the quality of the collected personal data to ensure it is accurate, complete, up-to-date, and not misleading, unless otherwise provided by law.

The Clinic will retain personal data for as long as it is necessary for the purposes of data collection, as detailed in the policy, privacy notice, or relevant laws. It may be necessary to retain it thereafter if the Clinic has a legal obligation to comply with the law, or in case of disputes, exercise of rights, or lawsuits related to personal data. The Clinic will retain such data until the dispute has a final order or judgment. The Clinic will arrange for appropriate procedures to delete or destroy personal data or anonymize it when it is no longer necessary or upon the expiration of such period.

For the benefit of confidentiality and security of personal data, the Clinic has established the following measures:

• 8.1 Strictly define rights for access, use, disclosure, and processing of personal data, including identification or verification of the identity of the person accessing or using personal data, in accordance with the Clinic's IT policy.
• 8.2 In sending or transferring personal data abroad (if any), the Clinic will ensure that the destination country has personal data protection measures equivalent to or better than the measures under the Clinic's policy.
• 8.3 In case of a violation of the Clinic's security measures leading to a personal data breach, the Clinic will promptly notify the data subject.

The Clinic requires employees or departments related to personal data to prioritize and be responsible for collecting, using, or disclosing personal data strictly in accordance with the personal data protection policy and guidelines.

The Data Subject has the rights to proceed as follows:

Only Clinic officers or persons assigned by the Clinic with duties or responsibilities related to the purposes of using personal data or for compliance with the law have the right to access the Data Subject's personal data.

The Clinic may disclose or transfer the Data Subject's personal data to third parties within the country or abroad (if any) as necessary to comply with the purposes and processing bases only, such as affiliated companies, employees, and companies hired by the Clinic to act as data processors, business partners, legal advisors, lawyers, auditors, including government agencies with authority to request personal data.

If the Data Subject has any doubts, questions, or requests regarding personal data, they can contact the Clinic through the following channels:

However, if the Data Subject wishes to exercise any of the rights above under Clause 10, they can contact the Clinic via the contact details above or fill out the “Data Subject Right Request Form”.

Any person responsible for performing duties, if neglecting or omitting to order, or not performing, or ordering, or performing any act which violates the policy and guidelines regarding personal data, causing an offense under the law and/or damage, shall be considered a personal offense and subject to disciplinary action.

The Clinic will review or update this Personal Data Protection Policy at least once a year to comply with relevant laws and changing technologies.