S Spine and Joint Hospital
No. 2102/9 Ladprao Road, Wang Thonglang Subdistrict, Wang Thonglang District, Bangkok 10310
Hospitals under N.P. Medical Co., Ltd. (the “Hospital”) have issued this Personal Data Policy for the use of medical treatment services (the “Policy”) in order to inform you, as a user of the Hospital’s services, about the collection, use, storage, transfer, disclosure, and management of your personal data. This applies whether you receive services by visiting the Hospital in person or via Telemedicine, as well as through any other channels that the Hospital may designate from time to time (the “Services”).
Upon providing medical records and personal information to the Hospital, you are considered a user of the Hospital’s services (“Patient”) and, in doing so, acknowledge, accept, and agree to this Policy. If a Patient disagrees with this Policy or any subsequent revisions, the Hospital reserves the right to deny access to its services, as processing personal data under this Policy is essential for the Hospital’s role in providing medical care in accordance with legal, contractual, and protective obligations for the Hospital’s legal rights. As long as the Patient continues to receive services, they are deemed to agree to this Policy.
In cases where the Patient is a minor, if personal data in medical records is provided directly by the minor with parental consent and verification, or if the parent provides the minor’s data to the Hospital directly, it will be deemed that the minor Patient consents to data processing as outlined in this Policy, as permitted by law. The Hospital holds no obligation to verify the legality or rights of the parent.
This Policy applies solely to the services provided by the Hospital and does not extend to services by external parties potentially linked or related to the Hospital’s services, such as insurance companies, welfare providers, or providers conducting follow-up diagnoses or treatments. Patients should refer to and understand the separate data processing policies of these third parties. The Company is fully committed to protecting personal data and strictly complies with the Personal Data Protection Act B.E. 2562 (PDPA) of Thailand
If any changes are made to this Policy, the Hospital will clearly notify Patients through various communication channels, with the revised Policy taking immediate effect upon announcement.
The privacy and personal data rights of our patients are of utmost importance to S Spine and Nerve Hospital (“the Hospital”), forming a core policy dedicated to protecting and respecting these rights. The Hospital is committed to ensuring the security and confidentiality of patient data across all processing activities. The Hospital adheres to the highest professional standards within the healthcare and medical services field, complying fully with all relevant Thai and international laws.
The Hospital will regularly review and update this Policy, as well as any internal policies and measures related to personal data processing, to ensure alignment with current data protection practices and to incorporate relevant technological and security advancements, thereby upholding high efficiency in accordance with established standards.
In terms of data security measures, the Hospital implements both organizational and technical protections, tailored to the sensitivity of the personal data. The Hospital places a strong emphasis on training and raising awareness among all employees, medical personnel, and external service providers to understand and respect the importance of safeguarding personal data and privacy rights.
To oversee and manage personal data protection, the Hospital has appointed a Personal Data Protection Working Committee as part of its governance structure. This committee ensures that the Hospital handles your personal data in compliance with all relevant laws and regulations, particularly in adherence to this Policy. If you have any questions regarding personal data processing or your rights, you may contact the Hospital’s Personal Data Protection Working Committee through the provided contact information.
Directly from the Patient: This includes data obtained during patient registration, medical history interviews, and medical record creation.
Other Healthcare Facilities: The Hospital may obtain medical information from other healthcare providers where the patient previously received treatment. Such data may be necessary for accurate diagnosis and treatment, as well as for preventive or emergency measures to protect the patient’s health and life, as applicable.
Your Affiliated Organization: In cases where an organization affiliated with the patient provides personal data to the Hospital to facilitate medical services, the Hospital assumes that the organization has obtained the necessary rights or consent from the data subject. The Hospital reserves the right, but is not obligated, to verify the validity of this disclosure.
Medical Personnel and External Service Providers: Hospital staff, including employees and external medical service providers under contract, may generate additional personal data through analyses and diagnoses as part of the medical care process provided to the patient.
When a patient wishes to receive medical services from the Hospital, they are required to register with the Hospital’s medical records system. The Hospital informs patients that all personal data provided during this registration (as detailed below) is essential for assessing eligibility to provide medical services. The Hospital conducts this process in compliance with legal standards related to medical diagnosis, healthcare, social services, and medical treatment, maintaining confidentiality according to professional medical ethics.
The personal data required from patients for medical record registration includes:
General Information: This includes full name, address, and contact information such as email address, phone number, current address, date of birth, nationality, and gender.
Identification Documents: This includes a copy of the patient’s national ID card or passport.
Sensitive Personal Data: This includes information such as race and religion (which the Hospital will collect, use, and store only with the patient’s consent) and health information such as medical history, chronic conditions, and any known allergies to medications or foods. This health information is essential for diagnostic and treatment purposes, and the Hospital manages this data under legal frameworks governing healthcare providers.
All personal data collected during the registration and creation of the patient’s medical record will be stored and used strictly as necessary to fulfill the primary purpose of delivering medical care to the patient in accordance with legal obligations.
To fulfill its legal obligations, the Hospital, as a healthcare provider, is required to meet objectives related to medical diagnosis, healthcare and social services, medical treatment, and health management. The Hospital maintains a primary duty to protect personal data confidentiality in accordance with legal and professional ethical standards. To serve these purposes, the Hospital is obligated to retain personal data for a period specified by relevant laws and standards.
For Legal Compliance: As a healthcare provider, the Hospital is legally obligated to process personal data for purposes such as medical diagnosis, healthcare or social services, medical treatment, and health management. The Hospital must maintain the confidentiality of this data, preserving it as required by law and medical ethics, for a duration aligned with legal and professional standards.
For Fulfilling Contractual Obligations: Under the conditions of medical services provided by the Hospital, there exists a contractual duty to offer healthcare services and to manage contact, eligibility verification, and welfare benefits for patients. To ensure that medical services are provided as stipulated, the Hospital must process personal data. This includes retaining personal data throughout the patient’s engagement with the Hospital, meaning as long as the patient has an active medical record with the Hospital and has not formally terminated the relationship in writing.
After completing the medical record registration and history-taking, the patient will receive medical diagnosis and comprehensive treatment services from the Hospital in accordance with legal standards. During diagnosis and treatment, the Hospital needs to collect and use additional personal data beyond what was provided in the initial medical record. This may include data related to diagnosis and treatment generated by the Hospital or received from other healthcare providers, including external or affiliated medical service providers, with whom the patient may have a treatment history and direct contact.
The data the Hospital needs to process for diagnosis and treatment includes:
Medical Service Records: This includes records of diagnostic and medical treatments, follow-up on the patient’s condition, physical examination data (e.g., X-ray films or digital images), diagnostic and analysis results, prescribed medication, and any medical procedures recommended by Hospital personnel. For telemedicine services, this may also include recorded audio and video conversations, as well as images or video footage of the patient to monitor progress over the course of treatment.
Payment Information: This includes direct payment records, such as proof of payment, credit card details, or other payment documents, as well as information on benefits and entitlements under agreements between the patient and welfare or insurance providers.
Communication Records: Any questions, concerns, or complaints that the patient may address to the Hospital.
All personal data collected during medical services will be processed strictly as necessary to fulfill the primary purposes of delivering diagnosis and treatment to the patient.
To Comply with Legal Duties
The Hospital has the following legal obligations:
As a Healthcare Provider: The Hospital is legally required to fulfill objectives related to medical diagnosis, healthcare, social services, medical treatment, and health management. Due to these legal duties, the Hospital must collect, store, use, and process patients’ personal data in compliance with the relevant standards and laws.
As a Tax Entity: The Hospital is subject to accounting and tax laws, which require the retention of accounting and tax documentation. This may include the collection, storage, and use of your personal data within these documents.
As a Facility Handling Certain Controlled Medications: For medications subject to regulatory control, the Hospital has a duty to collect and report personal data of patients receiving such medications in accordance with legal requirements.
To fulfill these obligations, the Hospital must retain personal data for the legally specified duration.
For the Prevention or Mitigation of Harm to Life, Body, or Health: In cases of immediate risk that may threaten a patient’s life, body, or health, such as emergencies where consent cannot be obtained (including for sensitive or personal data), the Hospital may need to process the patient’s data under exceptional circumstances.
To Fulfill Contractual Obligations for Service Provision
Under the terms of the service agreement between the Hospital and the patient, the Hospital has a duty to provide diagnostic and medical treatment services. To meet these obligations and ensure that services are delivered as stipulated, the Hospital must process the patient’s personal data. This data processing is essential to fulfill the services as agreed upon, which may include managing patient appointments, sending reminders for scheduled treatments, verifying treatment eligibility, and ensuring that the patient’s entitlements are fully utilized. This may also include contact for support or complaints through various channels, including social media.
In processing personal data for service provision or inquiries, the Hospital reserves the right to retain such data for as long as the patient continues to receive services and maintains a medical record with the Hospital.
To Protect the Legitimate Interests of the Hospital
Without infringing on the rights of patients as data subjects, the Hospital reserves the right to process patient personal data for the following legitimate purposes:
Legal Claims and Defense Preparation: To protect itself in any potential legal actions between the Hospital and the patient, the Hospital reserves the right to retain personal data as necessary within the statute of limitations to effectively defend these rights.
Risk Management: This may include sharing, disclosing, or reporting incidents internally to ensure service quality within the Hospital.
Service and Product Improvement: To assess and adapt the Hospital’s services and products to better meet patient needs.
Enhancing Future Services and Relationship Building: To improve patient relations through staff training and by reviewing and addressing patient complaints.
Contact Information for Marketing Analysis: The Hospital may use patient contact information to conduct marketing analysis, such as Lookalike Audiences on Facebook, to identify potential individuals with similar interests.
The Hospital reserves the right to retain personal data for an appropriate duration to support its business interests, within legal boundaries. The Hospital is committed to respecting patients’ rights as data subjects, including the fundamental right to object to personal data processing.
With Patient Consent: With your consent, the Hospital may use your personal data to create educational materials, marketing, and promotional communications, as well as to feature treatment visuals or outcomes for promotional purposes. The Hospital ensures that any such use respects your rights as a data subject. Although the Hospital welcomes your feedback on promotional materials, it has no obligation to submit these materials for your review or separate consent prior to disclosure or publication.
The Hospital is committed to implementing specific measures to protect the rights and freedoms of patients as personal data subjects, with a focus on confidentiality in accordance with professional ethics and legal obligations. As a rule, the Hospital will not disclose or share any patient personal data with third parties, except in cases where it is legally or contractually obligated to do so. Such exceptions include:
Welfare or Insurance Providers: In cases where a patient’s treatment is covered under welfare benefits provided by their affiliated organization or an insurance policy with an insurer, the Hospital may need to disclose personal data to verify eligibility and ensure that the patient receives full benefits. This disclosure is essential for the Hospital to provide services in accordance with the patient’s rights and entitlements.
External Service Providers and Personal Data Disclosure
The Hospital may engage external service providers to deliver essential services to patients. These providers may include, but are not limited to:
Independent Medical Practitioners: Healthcare professionals engaged by the Hospital to provide services on its behalf.
Specialized Medical Personnel: External medical specialists whom the Hospital may recommend to patients for additional services. In such cases, the Hospital will inform patients and allow them the choice to proceed before disclosing any personal data.
Specialized Diagnostic Service Providers: Labs or radiology facilities recommended by the Hospital to patients. Personal data will only be shared with these providers to facilitate diagnostics, and results will be sent back to the Hospital.
IT, Financial, Legal, Tax, and Compliance Service Providers: Specialists hired by the Hospital for operational management, quality assurance, research, or other necessary services. Some external providers may be located and operate outside the country.
The Hospital will implement appropriate security measures for data shared with external providers, including access limitations and data processing agreements to restrict access and usage of personal data solely to necessary purposes.
Government or Regulatory Agencies: The Hospital may have a legal duty to disclose personal data to government bodies or regulatory agencies as required by law, regulation, or official orders for compliance or review purposes. In such cases, the Hospital will ensure that data disclosure is strictly limited to the specific legal obligations.
Consent-Based Disclosure: With the patient’s consent, the Hospital may disclose personal data to individuals or entities specified by the patient, such as insurance companies, affiliated companies providing rehabilitation services, other hospitals, or medical facilities.
The Hospital prioritizes the security of patient personal data, ensuring its protection against unauthorized access, use, alteration, modification, or disclosure. The Hospital has established internal protocols to govern access to personal data, especially sensitive patient information, to safeguard its confidentiality and security. These measures are regularly reviewed to remain in line with industry standards and relevant laws. Key security measures include:
Data Anonymization: Whenever feasible, the Hospital anonymizes data, separating identifiable information from other data to reduce the risk of re-identification if there is no specific need to confirm patient identity during certain processes.
Data Encryption and Access Control: Data is encrypted as necessary, with access limited to authorized personnel only. Both physical and system access are restricted, and audit trails are maintained to track and verify data access.
Monitoring and Incident Response: The Hospital routinely monitors and assesses risks of data theft or unauthorized access. Security systems are regularly checked, with an emergency response plan in place for any incidents. In case of a data breach, the Hospital will report to the Personal Data Protection Commission and notify affected data subjects within a legally defined timeframe.
Data Sharing Agreements: When personal data is shared with external parties, the Hospital requires written agreements specifying data handling responsibilities. A monitoring system ensures compliance with these agreements, and clear procedures are in place to manage and respond to any data breaches effectively and appropriately.
The Hospital recognizes and respects the legal rights of patients regarding their personal data under the Hospital’s control. The Hospital agrees to uphold the following rights, as granted by law:
Right of Access and Copies: Patients have the right to access and receive a copy of their personal data, as well as request corrections to ensure accuracy and currency, unless legal restrictions apply that limit disclosure or if disclosure would unreasonably affect the rights of others.
Right to Data Portability: Patients can request their personal data in a commonly used, machine-readable format, and may also request that it be transferred to another data controller.
Right to Object: Patients have the right to object to the processing of their personal data.
Right to Erasure or Anonymization: Patients can request the deletion, destruction, or anonymization of their personal data when it is no longer necessary or when they withdraw their consent.
Right to Restrict Processing: Patients can request that the processing of their personal data be restricted when the data is no longer necessary or should be deleted.
Right to Withdraw Consent: Patients can withdraw their consent for data processing for any previously specified purposes.
Patients may contact the Hospital to exercise these rights using the provided contact details. The Hospital will inform the patient of the outcome within a reasonable period, in accordance with legal timeframes.
|
Step |
Personal Data Processed |
Purpose of Processing |
Legal Basis |
Retention Period |
|
1. Registration and Medical Record Creation |
Full name, contact information, ID card/passport, date of birth, gender, nationality |
To verify identity and assess eligibility for medical services |
Contract / Legal obligation |
For the duration of the medical record until officially terminated by the patient |
|
2. Preliminary health history and diagnosis |
Medical history, Underlying conditions, Allergies, X-ray images, Lab results |
To support medical diagnosis and treatment planning |
Legal obligation / Contract |
As required by relevant laws (e.g., 5–10 years or as defined by medical standards) |
|
3. Medical Treatment |
Treatment records, Prescriptions, Surgeries, Ongoing diagnosis and care |
To provide safe and continuous medical services |
Legal obligation / Contract |
As defined by law or professional ethics |
|
4. Financial and benefit administration |
Payment evidence, Welfare/insurance entitlements, Tax documents |
To verify payment and exercise applicable benefits |
Legal obligation / Contract |
As required by accounting and tax laws |
|
5. Inquiries or complaints |
Complaints, Questions, Contact logs |
To improve service quality and provide assistance |
Legitimate interest |
For the duration of the medical record or until the matter is resolved |
|
6. Data transfer or disclosure |
Medical records, Treatment information |
To transfer data to medical personnel, insurance companies, labs, or relevant parties |
Legal Obligation / Contract / Consent |
Only for the duration necessary for the specified purpose |
7.Communication and promotional use |
Photographs, Voice recordings, Treatment results (if consented) |
To create educational materials, marketing, or promotional communications |
Explicit Consent |
Until consent is withdrawn or as specified at the time of consent |
The Hospital welcomes any questions, complaints, feedback, or requests related to this Personal Data Policy, especially regarding the rights of patients as data subjects. You may contact us via:
The Company shall ensure that this Personal Data Protection Policy is reviewed and, where necessary, amended by the Board of Directors at least once a year. Such a review shall be based on the compliance reports submitted by the Data Protection Committee and the Audit Committee and shall consider any significant changes in the Company’s business operations or personal data processing activities.
The objective is to maintain the policy’s relevance, accuracy, and alignment with applicable data protection laws and best practices.
In the event of any material amendments, the Company will duly communicate such changes to data subjects through appropriate and transparent communication channels.
The Personal Data Protection Working Committee is responsible for preparing a report on the implementation of data protection measures to be submitted to the Board of Directors at least once a year, or in the event of a significant incident such as a data breach or high-risk assessment outcome. The report shall be in the form of a summary of actions taken in accordance with the Company’s data protection policy and procedures
Data Protection Officer (DPO)
N.P. Medical Company Limited
E-mail : dpo@s-spinehospital.com
The Company acts as the “Data Controller” under the Personal Data Protection Act B.E. 2562 (PDPA) of Thailand.