Under the Personal Data Protection Act, B.E. 2562 (2019), this law aims to protect personal data due to the increasing number of privacy violations that cause inconvenience or damage to data subjects. Additionally, technological advancements have made it easier, faster, and more convenient to collect, use, or disclose personal data in a way that violates privacy and harms the overall economy. The law therefore establishes principles for collecting, using, or disclosing personal data with the consent of the data subject and clear notification of the purpose, either in writing or electronically.
La Perla (2020) Co., Ltd., as a provider of non-overnight medical clinics, supplements, vitamins, medicines, cosmetics, and plastic surgery procedures to correct various defects on any part of the body, intends to seek consent to collect personal data for patients, clients, consultees, and service seekers of the company for the following purposes:
- To send information to external parties for marketing purposes, promoting products and services related to skin and body care, including products, tools, and equipment. To present personalized treatment plans and cosmetic surgery procedures to enhance the appearance of each patient, client, consultee, or service seeker.
- To collect personal data for data analysis for the company’s business purposes, tailored to each patient, client, consultee, or service seeker, products, equipment, and tools, for the benefit of the data subject.
- To use the data for analysis, offer, recommend, and/or suggest products, chemicals, and equipment for services or for patients, clients, consultees, or service seekers who have received services from the company.
- To follow up and evaluate the success of services and follow-up evaluations of patients, clients, consultees, or service seekers who have received services from the company.
- To prevent or mitigate harm to the life, body, or health of patients, clients, consultees, or service seekers who have received services from the company, data subjects, to control the standard or quality of drugs, medical devices, and to establish appropriate and specific measures to protect the rights and freedoms of data subjects, especially the confidentiality of personal data according to duty or professional ethics.
- For the necessity of performing duties in providing services or receiving services under the contract of patients, clients, consultees, or service seekers who have received services from the company, where the data subject is a party to the contract, or for use in acting upon the request of the owner or data subject before entering into the contract.
- To perform any other act directly related to the foregoing.
Personal data means any information relating to an identified or identifiable individual, including, but not limited to, information about a deceased person. It also includes information that allows a person to be identified directly or indirectly, such as:
- Sensitive personal data: This includes information about a person’s race, ethnicity, political opinions, religious or philosophical beliefs, sexual orientation, criminal history, health, disabilities, trade union membership, genetic data, biometric data, or any other information that affects the data subject, without the explicit consent of the data subject.
Health refers to the complete state of physical, mental, and social well-being of a person, with all the factors interconnected and forming a harmonious whole. It encompasses an individual’s health information, including medical history, current and ongoing illnesses, ongoing treatments, and any sudden ailments. Sometimes, it may be necessary to collect or disclose information about a person’s health status, such as medical records, treatment history, medication allergies, blood test results, ultrasound images, and any disabilities.
- Genetic Information: This refers to personal data related to inherited genetic characteristics. For instance, DNA and gene data are now being collected for disease prevention, diagnosis, and treatment by healthcare providers, as well as for in vitro fertilization or IVF procedures. It also includes information about ethnicity.
- Biometric Information: This encompasses data derived from the application of technology to physical or behavioral characteristics for identification purposes. Examples include bone structure, dental impressions, fingerprints, iris scans, and voice patterns.
PDPA Consent (Consent to Collect, Use, and Store Your Information)
The company will collect and process your personal data, including sensitive personal data such as information from your national ID card and passport. This information will be used for the purposes of consultation, medical procedures, and as a patient, patient, or service recipient. You also consent to the company sending and disclosing your information to government agencies and entities related to the company for the purpose of providing services, improving service delivery, data processing, or for compliance with the law. The company may request details of your political affiliations and health history as necessary for screening purposes, prevention, recommendations for services, and the obligation of the data subject to disclose their health information in full.
The Company will store and may process your personal data: to provide you with services in accordance with the Company’s standards and to fulfill its legal obligations to you as a patient, consultant, patient, or service recipient. This includes cases where you have contacted the company for any reason or where the company has contacted you.
Rights of Data Subjects or Data Disclosers
- Right to Access and Request Copies of Personal Data: Data subjects have the right to request access to and obtain copies of their personal data held by the data controller. They may also inquire about the source of their personal data if they did not provide their consent.
- Right to Rectification of Personal Data: Data subjects have the right to inform the data controller to correct inaccurate or incomplete personal data. They also have the right to be informed of the consequences if they do not provide their personal data.
- Right to Data Portability: Data subjects have the right to receive their personal data from the data controller in a structured, commonly used, and machine-readable format. They may also request that the data controller transmit or transfer their personal data in such a format to another data controller, when technically feasible.
- Right to Object, Erase, or Restrict Processing: Data subjects have the right to object to, erase, or restrict the processing of their personal data at any time. This includes the right to withdraw consent for the processing of their personal data.
- Right to Lodge a Complaint: Data subjects have the right to lodge a complaint with the relevant supervisory authority if the data controller or data processor, including the employees, agents, or contractors of the data controller (company) or data processor, violates or fails to comply with the Personal Data Protection Act.
- Right to Object to Automated Processing: Data subjects have the right to object to the collection, use, or disclosure of their personal data that is permitted by law without the consent of the data subject.
- Exercise of Rights: Data subjects must submit their requests in writing to the data controller at the following address: La Perla (2020) Co., Ltd., 1028, Paithaya Building, Room 1A, 1st Floor, Khlong Rangsit Road, Prachathipat Subdistrict, Thanyaburi District, Pathum Thani Province.
Method of Withdrawing Consent and Effects of Withdrawal
Data subjects may withdraw all or part of their consent as per the written consent provided by the data subject to the company, either in writing or electronically, as notified by the data collector and processor. The company may inquire about the reason for withdrawing all consent. The withdrawal of consent by the data subject shall not affect any actions that the company has already taken, including in cases where the data subject intends to request cancellation or destruction, if it affects the rights and obligations of the data subject. The data subject agrees to accept the consequences arising from such actions without claiming, accusing, or demanding any compensation from the company.
Method of Signature and Consent of Data Disclosers
Data subjects agree and acknowledge that in the event that they provide consent through the consent form prepared by the data controller, by clicking on a checkbox, tapping twice on a mobile phone button, sliding the screen (swipe) to indicate “consent” by the data subject themselves, or to express the data subject’s intent to consent, after it has been clearly stated that such actions represent agreement or consent to the collection, use, or disclosure of personal data; filling out forms in an electronic system; sending emails; sending electronic documents scanned from the original; or using electronic signatures. This may involve methods that can identify the data subject and show the data subject’s intent, using methods that are reliable and appropriate for the purpose or any other method that can verify the data subject’s identity and can the data subject’s intent by that method or in conjunction with other evidence under the Electronic Transactions Act, which includes providing consent using a password (password), digital signature (digital signature), electronic signature in the form of biometric data (biometrics) or any other method that may arise in the future. It shall be deemed that the data subject has agreed to consent to the disclosure of personal data. And before giving consent, I have read and understood the terms and conditions for disclosing personal data, which are clearly stated above this consent. And the expression of intent to consent in any of the above methods shall be deemed as if I have expressed my intent to consent voluntarily.