Announcement by the Health Intervention and Technology Assessment Program Foundation
on Privacy Notice for Website Users
The Health Intervention and Technology Assessment Program Foundation (hereinafter referred to as “HITAP”, “we” or “us”) is the provider of this website (www.hitap.net) as well as other social media accounts. HITAP, as the data controller, respect the right to privacy of the data subjects and recognize the importance of your personal data. Therefore, this Privacy Notice for Website Users (“Privacy Notice”) was made to notify you of the purposes and means of collection, use and disclose (collectively referred to as “process/processing”) of your personal data, e.g. HITAP’s website browsing data, registration data for HITAP activities/events, cookie data, transaction logs and user experience, as well as your rights under the Personal Data Protection Act B.E. 2562 (2019) (“Act”) and the channel to exercise the rights, the details of which are as follows:
2. Types and Sources of Personal Data
HITAP collects your personal data directly from you, which includes the personal data that you provide to us directly, such as information provided through signing up emails, sending messages for news, information and service enquiry, signing up for the activities of HITAP, and includes the information HITAP receives through the use of our website or your social media account, e.g. cookie data, transaction logs and user experience within our website. Moreover, HITAP may collect your personal data from third-party sources, e.g. the information publicly available on media or a third-party service providers in case it is necessary and carried out to the extent permitted by law.
The types of personal includes but not limited to the following:
- Personal information such as name, surname, title.
- Contact information such as home address, office address, telephone number, email, LINE ID.
- Device and software information, IP address, technical and identifier information, such as cookies, web beacons, logs, device ID, types of device, network data, connection data, access data, login logs, time of access, HITAP website browsing time.
- User account, social media account, including any service communication relating to such accounts.
- Details of browsing, searching history, viewing history and interaction with the news and information of HITAP, including viewed content, visited URL, feature usage, service usage, website usage/behaviors, searching history relating to HITAP’s works, activities or services.
- Response and communication information in case you contact HITAP, including any information you choose to share or disclose to HITAP through systems, devices, questionnaire and other services of HITAP regardless of the formats or means of disclosure, such as images, audio, messages, communications via social media.
- Opinion information, such as recommendations, suggestions, complaints, or surveys.
- Other information, such as audio, pictures, videos and other types of data considered to be personal data in accordance with the data protection law.
3. Purposes and Lawful Bases for Processing
HITAP processes your personal data as necessary for the lawful purposes as determined by HITAP, which includes the processing of personal data for performance of contract in which you are the party, for performance of compliance with legal duties, for legitimate interests, or for compliance with your consent, and/or other lawful bases, the details of which are as follows:
1) For performance of contract or at your request:
- Accepting or proceeding with the sing-up request you submit to HITAP
- Registration process for HITAP’s activities/events
- Registration process for receiving news or information from HITAP
2) For compliance with legal duties:
- Compliance with domestic or international laws, regulations, or rules applicable to HITAP
- Compliance with the order of official authorities, such as the order of the courts, government authorities, regulators, or competent officers.
3) For legitimate interests:
- Response to your complaints, enquiries, suggestions.
- Communication of news and information relating to HITAP’s activities.
- Development and improvement of our website (hitap.net) and other social media channels for better user experience by electronic means.
- Retention of personal data for prevention of fraud or other malicious actions, e.g. monitoring a cyberattack.
- Proceeding with legal claims, actions and executions.
- Launching a survey or questionnaire to gather opinions, recommendations or suggestions for development and improvement of HITAP’s service on the website.
In case HITAP is required to collect your personal data for compliance with the laws or as necessary for entering into a contract, and if you deny providing your personal data or object to the processing of your personal data in accordance with the purpose of processing activities, HITAP would not be able to proceed or provide a service, whether in whole or in part, as requested by you. Moreover, it may have an impact on HITAP’s performance of duties under the law compliance with its legal obligations.
In some cases, HITAP may ask for your personal data to for your convenience or to provide a better experience. In such cases, you may decide not to provide the personal data and as such, and it will not affect the core activities that you have with us.
4. Disclosure of Personal Data
HITAP may disclose your personal data, for under the specified purposes and as permitted by law, to the following individuals and/or organizations:
- Service providers and data processors assigned or hired by HITAP to manage or process personal data for HITAP to provide its services, including a person acting on HITAP’s behalf or jointly working with HITAP to achieve the purposes as set out in this Privacy Notice, and your personal data being required by such person to complete their task, such as providing IT service, storage of data.
- Regulators or other government agencies requesting the disclosure of personal data by virtue of the law, or relating to the legal proceedings, or as permitted by law.
- Consultants or specialists giving advice on HITAP’s undertakings, such as research advisers, legal counsels, accounting consultants as well as other consultant with a specific profession.
- Entities or organizations which are the channels for HITAP’s public relations, including social media platforms.
HITAP will oblige the receiving individuals/organizations to set up appropriate safeguards for your personal data and process such personal data as necessary. HITAP will carry out necessary actions to prevent the processing of your personal data without authorization or in violation of the data protection law or any other laws. If your consent is required, HITAP will obtain your consent prior to processing of your personal data.
5. Cross-border Transfer of Personal Data
In some cases, HITAP may send or transfer your personal data outside Thailand for the purposes of HITAP’s services and activities. This includes such as transferring on personal data to a cloud server in a foreign country.
However, HITAP will only send or transfer your personal data to a third country with adequate level of data protection, otherwise, HITAP will ensure that appropriate safeguards as required by law are established for your personal data, as well as an agreement being made with the relevant third party to guarantee their compliance with data protection measures as determined by HITAP.
6. Retention period of Personal Data
HITAP will keep your personal data for as long as it is necessary for achieving the purposes of processing in this Privacy Notice. In case it is unable to determine the exact retention period, HITAP will keep your personal data as reasonably expected and in accordance with the standard of retention period (such as up to 10 years as barred by the general prescription). Notwithstanding, in case of legal proceedings, your personal data will be kept until termination of the proceedings, including other necessary action required for achieving such purpose, then your personal data will be removed or kept as permitted by law.
7. Security of Personal Data
HITAP sets up security measures, comprising of both technical and organizational measures for handling your personal data, such as implementing access control measure to allow only staff or individual that are authorized or assigned to use your personal data according to the Privacy Notice. Such people with authorization will have to strictly adhere to and comply with HITAP’s data protection measures, and they will also have an obligation to keep confidentiality of the personal data they became known in the performance of their duties.
Moreover, if HITAP requires your personal data to be sent or transferred to any third party, whether for the purposes of HITAP’s mission, contract, or other form of agreements, HITAP will determine the level of security and confidentiality measures as appropriate and as required by law to ensure your personal data with HITAP is always safe and secure.
8. Competency of Users
In case you are a minor, incompetent or quasi-incompetent person, HITAP has no intention to process your personal data unless a consent has been given by the parent, guardian or curator (as the case may be) having the capacity to act on your behalf, or unless the law permits HITAP to do so.
In case HITAP is not aware that the data subject is a minor, incompetent or quasi-incompetent person and that HITAP discovers the processing without the consent of their parent, guardian or curator (as the case may be) at a subsequent time, HITAP will erase or destroy their personal data in due course if HITAP does not rely on any other lawful basis of processing than the consent.
10. Data Subject Rights According to the Personal Data Protection Act B.E. 2562 (2019)
A data subject or an authorized person, such as a parent or a guardian, is entitled to submit a request to exercise the rights through the channel as set out in “Clause 13. Contact Details for Enquiry or Exercise of Rights”. The details of the available data subject rights are as follows:
2) Right to Access: The data subject is entitled to have access, obtain a copy, or request the disclosure of their personal data collected by HITAP.
3) Right to Rectification: In the event that the data subject finds that their personal data are not accurate, complete or up-to-date, they are eligible to have their personal data rectified to ensure they are accurate, up-to-date, complete and not misleading.
4) Right to Erasure The data subject is entitled to have their personal data erased, destroyed, or anonymized.
5) Right to Restriction of Processing: The data subject is entitled to restrict their personal data from being processed in the following cases:
- when the request to rectify your personal data for accuracy, completeness and being up-to-date (Right to Rectification) is under review by HITAP;
- when HITAP unlawfully processes your personal data;
- when their personal data is no longer necessary for HITAP, but the data subject requests HITAP to keep their personal data in support of their legal claim, such as establishment or defense of a legal claim; and
- when HITAP is in the process of verifying your objection request (Right to Object).
6) Right to Object: The data subject is entitled to object to the collection, use or disclosure of personal data relating to them in case HITAP relies upon legitimate interest, or processes their personal data for the scientific or historical research, or statistical purposes.
7) Right to Withdraw Consent: In case where the data subject gives consent to HITAP for collection, use or disclosure of personal data (whether such consent has been given before or after the effective date of the Personal Data Protection Act B.E. 2562 (2019)), the data subject is entitled to withdraw their consent at any time throughout the period where their personal data is being kept by HITAP.
8) Right to Data Portability: The data subject is entitled to receive their personal data being processed by HITAP in a readable and commonly used, by automated devices or equipment, and can be used or disclosed by automated means. Moreover, the data subject may request their personal data in such format be sent to other data controller.
9) Right to File a Complaint: The data subject is entitled to make a complaint to HITAP for investigation, clarification, or resolution of their concerns, including filing a complaint to the Personal Data Protection Commission if the processing of personal data by HITAP is in violation of the personal data protection law.
In case the data subject submits the request to exercise their rights under the Act, upon the receipt of the request, HITAP will proceed with the request within 30 days. HITAP reserves its right to reject or refuse to comply with the request and its right to extend the request respond timeline, including charging a fee if permitted by law.
11. Use of Personal Data for the Original Purposes
HITAP is entitled to collect and use the personal data given by the data subjects before the effective date of the personal data protection law for its original purposes. If the data subject no longer wishes HITAP to continue collecting and using such personal data, the data subject may withdraw their consent.
12. Amendment to the Privacy Notice
HITAP may consider updating, amending, or making changes to the Privacy Notice from time to time to be in line with its internal practice and the data protection law. HITAP will notify you of the changes via the HITAP website.
13. Contact Details for Enquiry or Exercise of Rights
If there is any enquiry, suggestion, or concern regarding HITAP’s collection, use and disclosure of personal data, or if you would like to exercise your rights under the personal data protection law, please contact us at:
Health Intervention and Technology Assessment Program Foundation, 6th Floor, 6th Building, Department of Health, Ministry of Public Health, Tiwanon Rd., Muang, Nonthaburi 11000
Tel.: +662-590-4549, +662-590-4374-5
Email address: firstname.lastname@example.org
You can download the Data Subject Right Request Form here
Effective on 1st June 2022
Related Privacy Notice(s) and document(s)
Privacy Notice for Job Applicants and Employees
Privacy Notice for Service Providers or Contractors
Privacy Notice for CCTV
Privacy Notice for Events
Data Subject Right Request Form