Privacy Notice for Events

Announcement by the Health Intervention and Technology Assessment Program Foundation on Privacy Notice for Events

1. Background

The Health Intervention and Technology Assessment Program Foundation (hereinafter referred to as “HITAP”, “we” or “us”) respects and places importance on the right to privacy in relation to personal data of conference attendees, research subjects, interviewees, event participants, registrants, as well as training and seminar attendees (“you” or “data subject”). HITAP would like to provide you with information to better understand the purposes for processing of your personal data for the events, exhibitions, trainings, conferences, seminars, interviews and research data collections of HITAP, whether online or offline (“Events”). We are accountable for ensuring security of your personal data in HITAP’s control and we will manage your personal data in a secure and trustworthy manner. In this regard, HITAP provides this Privacy Notice for Events (“Privacy Notice”) to explain our practice in relation to personal data and sensitive personal data as well as notifying you of the details of collection, use and disclosure, the purposes of data processing and your rights under the Personal Data Protection Act B.E. 2562 (2019) (“Act”) as follows:

2. Definition

• “HITAP” means Health Intervention and Technology Assessment Program Foundation.
• “Personal Data” means any information relating to a person which enables the identification of such person, either directly or indirectly, excluding information of deceased persons.
• “Sensitive Personal Data” means personal data as stipulated in Section 26 of the Personal Data Protection Act B.E. 2562 (2019) which includes racial, ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union information, genetic data, biometric data, or of any data which may affect the data subject in the same manner, as prescribed by the Personal Data Protection Committee.
• “Processing of Personal Data” means any operation which is performed on personal data such as collection, recording, copying, structuring, storage, adaptation, alteration, use, retrieval, disclose, transmission, dissemination, transfer, combination, erasure, or destruction.
• “Data Subject” means a natural person whose Personal Data are collected, used or disclosed by HITAP.

In this regard, any terms which are not defined under this Privacy Notice shall refer to the terms as defined in the Act.

3. Types and Sources of Personal Data

HITAP collects your personal data directly from you, whether in hard or electronic copy, by means of filling out your personal data through the document or online platform as provided by HITAP and/or other means. However, due to the particular nature of our processing activities, we may collect your personal data indirectly from other sources. Your personal data which are required for our processing activities may vary according to the cases and characteristics of such processing activities as follows.

1) General Personal Data

• Personal details and member information such as name, surname, gender, date of birth, signature and/or copy of identity certification (passports for foreign nationals), unless necessary, see paragraph 2 below.
• Information on academic and other achievements such as school of graduation, test results, score and/or faculty and university of your higher education.
• Opinion information such as your suggestions, feedback and/or reviews.
• Social Media Account and other contact information such as address, telephone number and/or email.
• Information received during the course of your attendance at our Events such as audio, photograph, video, your opinions or ideas exposed throughout the Events, long shot photograph, group photograph after the events, records of access to the Event area, including CCTV camera – you will be notified of CCTV in operation within HITAP area and you can learn more from our Privacy Notice for CCTV, video and audio records via Zoom Application or other recording devices.
• Information relating to personal relationship or interest which is likely to conflict with HITAP’s interest.
• Other information on record such as any document evidencing your communication with HITAP, correspondence records of any form, including photo, audio or social media platform as well as the record of Events which you previously attended or registered for and/or the minutes of meetings.
• Third party information provided by you or as received by HITAP such as the information listed above which you warrant that the third party’s consent has been given for disclosure of their personal data to HITAP.

2) Sensitive Personal Data

• In case of necessity, HITAP may process your sensitive personal data with your explicit consent in accordance with the consent form. We will do our best to provide the appropriate security measures to protect your sensitive personal data. In this regard, we will process your sensitive personal data only to achieve the purposes as permitted by law or as prescribed by the Privacy Notice and consent as follows:
  • Health information such as disability, congenital disease, color blindness, medical examination result, blood type, medical certificate, medical history, food allergy/restriction for the Events and relevant research.
• If you would not like your sensitive personal data to be collected, used or disclosed, you may reject our processing of your sensitive personal data by completing the consent form each time of processing, or by withdrawing your consent at any time though the channel set out in Clause 13.

In case you would not like your sensitive personal data as shown in your identity card, house registration or other documents that you intend to provide to HITAP, such as racial, blood type and religious information, to be processed, and you deliver any documents with the information of such kind to HITAP, whether in hard copy or any other formats, we recommend that you redact such sensitive personal data by crossing them out. However, if you do not redact the sensitive personal data by yourself, it is deemed to have HITAP authorized to redact the sensitive personal data for you; the document with redaction shall be valid and shall have a legal effect so that HITAP may process other personal data in the document according to the Personal Data Protection Act B.E. 2565 (2019). In case HITAP is not able to redact such sensitive personal data for you due to technical or other restrictions, HITAP will collect the personal data as necessary for the purpose of verifying your identity only.

In case HITAP receives your personal data from a third party, contractor and/or other data controller or processor, HITAP, in good faith, believes that such third parties are entitled to process and disclose your personal data to HITAP. Third parties may include but not limited to the followings:

• Third parties include public authorities, hospitals, academic institutes, your affiliated organizations, representatives, employers, sponsors and other third parties who provide services to you as well as acting on your behalf.

4. Lawful Basis of Collection of Personal Data

HITAP determines the lawful basis for processing of your personal data as appropriate and according to the context of our activities. In this regard, the lawful basis that we rely upon for processing of your personal data include the following:

• It is necessary for performance of a task carried out in the public interest or for the exercising of official authority vested in HITAP.
• It is necessary for compliance with the laws.
• It is necessary for legitimate interest.
• It is necessary for preventing or suppressing a danger to a person’s life, body or health.
• It is necessary for performance of contract.
• It is for preparation of research and statistical documents for public interest.
• Your consent.

In case HITAP is required to collect your personal data for compliance with the laws or as necessary for entering into a contract, and if you deny providing your personal data or object to the processing of your personal data in accordance with the purpose of processing activities, HITAP would not be able to proceed or provide a service, whether in whole or in part, as requested by you. Moreover, it may have an impact on HITAP’s compliance with its legal obligations.

In some cases, HITAP may ask for your personal data for your convenience or to provide a better experience. In such cases, you may decide not to provide the personal data and as such, and it will not affect the core activities that you have with us.

5. Purposes of Processing

HITAP collects and processes your personal data for the purposes set out in this Privacy Notice as follows:

1) For performance of contract or at your request prior to entering into a contract

• Filling in the registration form or conference/research acceptance form as evidence of registration, document receipt, attendance record or check-in record of the Events, and as evidence of receipt of document related to the Events held by HITAP, such as conference registration form, conference acceptance form or research attendance certificate.

2) For legitimate interest of HITAP or other third parties

• Processing of registration information to verify attendee identity, issue the receipts, support the preparation of contract or HITAP’s internal reference.
• Taking photographs or videos or recording audio where the focus does not lie on an individual i.e. overall impression of the Events (larger group of attendees), exhibitions, trainings, or conferences, to achieve the purpose of research, communication, publication or announcement to the public in relation to HITAP’s Events through various channels such as Facebook, mass media or other official communication platforms of HITAP.
• Access control to HITAP area or Event area to ensure the security of service users, employees, Event/training/seminar attendees or other individual entering HITAP area or Event area, as well as ensuring protection of HITAP’s property from irrelevant parties entering the restricted areas, prevention or suppression of a threat to life, body and security and investigation of the occurrence of any incident.
• Membership registration or subscription for newsletter and communications of HITAP’s activities and Events with an opt-out option available for you.
• Running conflict checks on your personal interest and HITAP’s interest.
• Establishment, compliance, exercise or defense of legal claims, legal proceedings as well as legal execution.

3) For preventing or suppressing a danger to life, body or health for you or other persons, such as an emergency contact.

4) For compliance with the law to achieve the purposes of public interest in public health, such as control of contagious disease, record of body temperature, and travel history.

5) For compliance with the applicable law and the order of an officer exercising official authority, such as summons, court orders, orders of government agencies, regulators, or competent officers.

6) For preparation of the documents relating to research or statistics for public interest regarding the assessment of health technologies and programs in accordance with HITAP’s missions and objectives, such as collection of personal data for research study.

7) Compliance with the consent of data subjects

• In case it is necessary to collect sensitive personal data, such as health information as required for Events or research.
• Taking photographs or videos including voice recording with a focus lying on an individual or small group of individuals, or the use of individual’s name-surname and piece of work in combination with photographs or videos for an appropriate purpose of public relations through various channels, such as Facebook, mass media or other official communication platforms of HITAP.

6. Disclosure of Personal Data

1) HITAP may disclose your personal data, for the specified purposes and as permitted by law, to the following individuals and/or organizations:

• Service providers and data processors assigned or hired by HITAP to manage or process personal data for HITAP to provide its services, including a person acting on HITAP’s behalf or jointly working with HITAP to achieve the purposes as set out in this Privacy Notice, and your personal data being required by such person to complete their task, such as providing IT service, collecting and analyzing information for researches, or providing other kind of services for your own benefits or relating to the research study conducted by HITAP, where the disclosure of your personal data is reasonably necessary to achieve the purposes of HITAP.
• Regulators or other government agencies requesting the disclosure of personal data by virtue of the law, or relating to the legal proceedings, or as permitted by law, such as National Police Office, Office of the Attorney General, Courts, government officer with an authority to request disclosure of personal data, such as inquiry officers, attorney generals.
• Consultants or specialists giving advice on HITAP’s undertakings, whether an individual or organization, such as research advisers, legal counsels, accounting consultants as well as other consultant with a specific profession.
• General public including any organization being able to make use of the information for wider public interest.
• Entities or organizations which are the channels for HITAP’s public relations, including social media platforms.

2) HITAP will oblige the receiving individuals/organizations to set up appropriate safeguards for your personal data and process such personal data as necessary. HITAP will have agreements with them to prevent your personal data from being used or disclosed without authorization or in violation of data protection law or other relevant law, and it will proceed with the disclosure of your personal data under the purposes as specified in this Privacy Notice or other purposes as permitted by law. If a consent is required, HITAP will obtain your consent prior to the disclosure.

7. Cross-border Transfer of Personal Data

In some cases, HITAP may send or transfer your personal data outside Thailand for the purposes of HITAP’s services and activities. This includes transferring personal data to a cloud server in a foreign country or sending personal data to foreign organization for research purposes.

However, HITAP will only send or transfer your personal data to a third country with adequate level of data protection, otherwise, HITAP will ensure that appropriate safeguards as required by law are established for your personal data, as well as an agreement being made with the relevant third party to guarantee their compliance with data protection measures as determined by HITAP.

8. Retention period of Personal Data

HITAP will keep your personal data for as long as it is necessary for achieving the purposes of processing in this Privacy Notice. The retention periods are as set out below:

• In case HITAP relies on your consent to process your personal data, HITAP will process such personal data until you withdraw your consent.
• In case you provide your personal data to HITAP due to a contract you have with us, HITAP will keep your personal data as necessary for providing service to you according to the term specified in the contract, and for another 10 years after termination of the relationship or contract.
• In case you provide your personal data to HITAP as a research subject or as an Event/conference/training/seminar attendee, HITAP will keep your personal data as necessary for providing services to you, and for another 5 years after termination of relationship.
• In case you subscribe to HITAP’s newsletters, HITAP will process your personal data until you cancel subscription.
• In case you provide information for running a check on conflict of interest, HITAP will retain the information for a period of 1 years, and if it is concluded that no potential conflict exists or that the interest is irrelevant or insignificant.
• Other provided personal data, such as a record of data subject right for HITAP’s verification or other actions to respond to your future requests, HITAP will keep your personal data as necessary to perform its duties to achieve the purposes specified in this Privacy Notice. In case it is unable to determine the exact retention period, HITAP will keep your personal data as reasonably expected and in accordance with the standard of retention period (such as up to 10 years as barred by the general prescription). Notwithstanding, in case of legal proceedings, your personal data will be kept until termination of the proceedings, including other necessary action required for achieving such purpose, then your personal data will be removed or kept as permitted by law.

After expiration of the retention period, HITAP will erase, destroy, anonymize or take any other action as required by personal data protection law, to ensure the efficacy of protection of your personal data. However, HITAP may retain certain personal data for a longer period than the above if it is necessary for compliance with the law or the order of government officers or relevant government agencies, and for achieving the purposes as embodied in HITAP’s missions or as permitted by law.

9. Security of Personal Data

HITAP sets up security measures, comprising of both technical and organizational measures for handling your personal data, such as implementing access control measure to allow only staff or individual that are authorized or assigned to use your personal data according to the Privacy Notice. Such people with authorization will have to strictly adhere to and comply with HITAP’s data protection measures, and they will also have an obligation to keep confidentiality of the personal data they became known in the performance of their duties.

Moreover, if HITAP requires your personal data to be sent or transferred to any third party, whether for the purposes of HITAP’s mission, contract, or other form of agreements, HITAP will determine the level of security and confidentiality measures as appropriate and as required by law to ensure your personal data with HITAP is always safe and secure.

10. Data Subject Right According to the Personal Data Protection Act B.E. 2562 (2019)

The Personal Data Protection Act B.E. 2662 (2019) stipulates various rights of data subjects. A data subject or an authorized personal, such as a parent or a guardian, is entitled to submit a request to exercise the rights through the channel as set out in Clause 13. The details of the available data subject rights are as follows:

1) Right to be informed: The data subject is entitled to be informed of the purposes and details of collection, use, and disclosure of their personal data through a privacy policy or privacy notice (as the case may be), including any changes to the existing purposes.

2) Right to Access: The data subject is entitled to have access, obtain a copy, or request the disclosure of their personal data collected by HITAP unless HITAP has a justified reason to reject the request as permitted by the law or court order, or in case the exercise of this right may have an adverse effect to the rights and freedom of other individual.

3) Right to Rectification: In the event that the data subject finds that their personal data are not accurate, complete or up-to-date, they are eligible to have their personal data rectified to ensure they are accurate, up-to-date, complete and not misleading, to the extent permitted by relevant law.

4) Right to Erasure: The data subject is entitled to have their personal data erased, destroyed, or anonymized, to the extent allowed by relevant law.

5) Right to Restriction of Processing: The data subject is entitled to restrict their personal data from being processed in the following cases:

• when the request to rectify your personal data for accuracy, completeness and being up-to-date (Right to Rectification) is under review by HITAP;
• when HITAP unlawfully processes your personal data;
• when their personal data is no longer necessary for HITAP, but the data subject requests HITAP to keep their personal data in support of their legal claim, such as establishment or defense of a legal claim; and
• when HITAP is in the process of verifying your objection request (Right to Object).

6) Right to Object: The data subject is entitled to object to the collection, use or disclosure of personal data relating to them in case HITAP relies upon legitimate interest, or processes their personal data for the scientific or historical research, or statistical purposes, unless HITAP has a legally justified reason to reject the request (such as HITAP is able to demonstrate that there is a compelling, legitimate ground for the collection, use and disclosure, or it is necessary for establishment, compliance or exercise of legal claims or it is for the public interest).

7) Right to Withdraw Consent: In case where the data subject gives consent to HITAP for collection, use or disclosure of personal data (whether such consent has been given before or after the effective date of the Personal Data Protection Act B.E. 2562 (2019)), the data subject is entitled to withdraw their consent at any time throughout the period where their personal data is being kept by HITAP unless there is any restriction by law that permits HITAP to continue retaining the personal data, or there is a contract between the data subject and HITAP. The withdrawal of consent will not affect the lawfulness of the collection, use, or disclosure of your personal data based on your consent before it was withdrawn.

8) Right to Data Portability The data subject is entitled to receive their personal data being processed by HITAP in a readable and commonly used, by automated devices or equipment, and can be used or disclosed by automated means. Moreover, the data subject may request their personal data in such format be sent to other data controller, subject to the conditions in the law.

9) Right to File a Complaint: The data subject is entitled to make a complaint to HITAP for investigation, clarification, or resolution of their concerns, including filing a complaint to the Personal Data Protection Commission if the processing of personal data by HITAP is in violation of the personal data protection law.

In case the data subject submits the request to exercise their rights under the Act, upon the receipt of the request, HITAP will proceed with the request within 30 days. HITAP reserves its right to reject or refuse to comply with the request and its right to extend the request respond timeline, including charging a fee if permitted by law.

11. Use of Personal Data for the Original Purposes

HITAP is entitled to collect and use the personal data given by the data subjects before the effective date of the personal data protection law for its original purposes. If the data subject no longer wishes HITAP to continue collecting and using such personal data, the data subject may withdraw their consent.

12. Amendment to the Privacy Notice

HITAP may consider updating, amending, or making changes to the Privacy Notice from time to time to be in line with its internal practice and the data protection law. HITAP will notify you of the changes via the HITAP website.

13. Contact Details for Enquiry or Exercise of Rights

If there is any enquiry, suggestion, or concern regarding this Privacy Notice or HITAP’s collection, use and disclosure of personal data, or if you would like to contact the data protection officer or exercise your rights under the personal data protection law, please contact us at:

Health Intervention and Technology Assessment Program Foundation

6th Floor, 6th Building, Department of Health, Ministry of Public Health,

Tiwanon Rd., Muang, Nonthaburi 11000

Tel.: 02-590-4549, 02-590-4374-5 or email: [email protected]

You can download the Data Subject Right Request Form here

Effective on 1^st June 2022

——

Related Privacy Notice(s) and document(s)

Privacy Policy

Privacy Notice for Job Applicants and Employees

Privacy Notice for Service Providers or Contractors

Privacy Notice for CCTV

Cookie Policy

Privacy Notice for Website Users

Data Subject Right Request Form