Data Protection Policy

Care Friend, Rose Innovation Company Limited ("Company" or "We") is committed to ensuring the protection and security of personal data, including sensitive health data, in accordance with the provisions of the Personal Data Protection Act B.E.2562 ("PDPA"), the Health Information Privacy and Security Act, and other relevant data protection regulations. This Data Protection Policy outlines the principles and practices that the Company adheres to for the protection, processing, and management of personal and health-related data.

Principles of Data Protection

The Company operates on the following principles with regard to the processing of personal and health data:

1. Lawfulness, Fairness, and Transparency: Personal and health data is processed lawfully, fairly, and transparently in relation to the data subject.

2. Purpose Limitation: Personal and health data is collected for specified, explicit, and legitimate purposes and is not further processed in a manner incompatible with those purposes.

3. Data Minimization: Personal and health data, especially sensitive health data, is limited to what is necessary in relation to the purposes for which it is processed.

4. Accuracy: Personal and health data is accurate and, where necessary, kept up to date; every reasonable step is taken to ensure that inaccurate data is rectified or erased without delay.

5. Storage Limitation: Personal and health data is kept in a form that permits the identification of data subjects for no longer than is necessary for the purposes for which the data is processed.

6. Integrity and Confidentiality: Personal and health data is processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.

7. Accountability: The Company is responsible for, and able to demonstrate compliance with, the principles outlined above, especially with regards to sensitive health data.

Data Processing Practices

The Company maintains the following practices in the processing of personal and health data:

1. Lawful and Fair Processing: Personal and health data is processed based on legitimate grounds, including the performance of a contract, compliance with legal obligations, protection of vital interests, consent, and legitimate interests pursued by the Company or a third party.

2. Transparency: The Company ensures transparency in its processing activities by providing clear and accessible information regarding the collection and use of personal and health data, particularly emphasizing the sensitive nature of health-related information.

3. Consent: The Company obtains valid consent from data subjects for the processing of their personal and health data, especially sensitive health data. Data subjects have the right to withdraw their consent at any time.

4. Data Security: The Company implements robust technical and organizational measures to ensure the security of personal and health data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage. Special attention is given to the heightened security requirements for sensitive health data.

5. Data Subject Rights: The Company facilitates the exercise of data subject rights, including the right to access, rectification, erasure, restriction of processing, data portability, and objection, especially with respect to health data privacy regulations.

6. Data Transfer: The Company ensures that any transfer of personal and health data to a third country or an international organization is carried out in compliance with data protection regulations, with additional precautions for the transfer of sensitive health data.

7. Data Breach Management: The Company has established comprehensive procedures for identifying, assessing, and reporting data breaches, particularly those involving sensitive health data, and for notifying data subjects and relevant authorities where required.

Regulations on Health Data

In addition to complying with the PDPA, the Company adheres to the Health Information Privacy and Security Act and other relevant regulations governing the processing of health-related data. The Company recognizes the heightened sensitivity and privacy requirements associated with health data, especially medical records, diagnoses, treatments, and other health-related information, and undertakes to process such data with the utmost care and adherence to legal requirements.

Compliance and Accountability

The Company designates a Data Protection Officer (DPO) responsible for overseeing the implementation of this Data Protection Policy, ensuring compliance with data protection regulations, and addressing data protection issues related to both personal and health data. The DPO serves as the primary point of contact for data subjects and supervisory authorities.

The Company conducts regular audits and assessments of its data processing activities, with particular emphasis on the handling of sensitive health data, to ensure ongoing compliance with this policy and all relevant data protection regulations.

Training and Awareness

The Company provides comprehensive training and awareness programs for its employees, contractors, and other relevant parties involved in the processing of personal and health data. These programs emphasize the sensitivity and privacy requirements of health-related information and ensure a clear understanding of the responsibilities and obligations under this Data Protection Policy and applicable data protection regulations.

Continuous Improvement

The Company continually reviews and updates its data protection practices, especially those related to the processing of health data, to reflect changes in legal requirements, technology, and business operations. The Company actively seeks to enhance its data protection measures, especially with regard to the processing and safeguarding of sensitive health data, in line with evolving regulations and best practices.

Contact Information

For any inquiries, concerns, or requests related to data protection, data subjects may contact the Data Protection Officer at:

Care Friend (Rose Innovation Company Limited, 8 Ramintra 81/1, Kannayao, Bangkok E-mail: hello@carefriend.com