Privacy Notice for Service Providers or Contractors

Announcement by the Health Intervention and Technology Assessment Program Foundation

on Privacy Notice for Service Providers or Contractors

1. Background

The Health Intervention and Technology Assessment Program Foundation (hereinafter referred to as “HITAP”, “we” or “us”) respects and places importance on the right to privacy in relation to personal data of contractors or service providers as well as prospective contractors or service providers, whether a natural person or a representative of a legal person, e.g. director, authorized signatory, attorney in fact/agent, sub agent, personnel, representative, staff and employee, who entered or is entering into a transaction with HITAP (“you” or “data subject”). We are accountable for ensuring security of your personal data in HITAP’s control and we will manage your personal data in a secure and trustworthy manner. In this regard, HITAP provides this Privacy Notice for Service Providers or Contractors (“Privacy Notice”) to explain our practice in relation to personal data and sensitive personal data as well as notifying you of the details of collection, use and disclosure, the purposes of data processing and your rights under the Personal Data Protection Act B.E. 2562 (2019) (“Act”) as follows:

2. Definition

• “HITAP” means Health Intervention and Technology Assessment Program Foundation.
• “Prospective Contractors or Service Providers” means any person who is likely to become a party to a contract with HITAP, including but not limited to a person expressing their intent to enter into a contract with HITAP, a person signing up for being a party to a contract with HITAP, or a person showing their interest to provide service to HITAP or to work with HITAP or any other person.
• “Contractors or Service Providers” means any person enters into a contract or an agreement with HITAP or submits a proposal for products or services to HITAP.
• “Related Person” means a natural person who is related to or is a representative of a Prospective Contractors or Service Providers, such as a director, employee, representative, attorney in fact/agent, principal, witness, staff who carries out a business on behalf of a legal person as well as any person whose personal data appear in the document relating to the contract process.
• “Personal Data” means any information relating to a person which enables the identification of such person, either directly or indirectly, excluding information of deceased persons in particular.
• “Sensitive Personal Data” means personal data as stipulated in Section 26 of the Personal Data Protection Act B.E. 2562 (2019) which includes racial, ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union information, genetic data, biometric data, or of any data which may affect the data subject in the same manner, as prescribed by the Personal Data Protection Committee.
• “Processing of Personal Data” means any operation which is performed on personal data such as collection, recording, copying, structuring, storage, adaptation, alteration, use, retrieval, disclose, transmission, dissemination, transfer, combination, erasure, or destruction.
• “Data Subject” means a natural person whose Personal Data are collected, used or disclosed by HITAP.

In this regard, any terms which are not defined under this Privacy Notice shall refer to the terms as defined in the Act.

3. Types and Sources of Personal Data

HITAP collects your personal data directly from you, whether in hard or electronic copy, by means of filling out your personal data through the document or online platform as provided by HITAP and/or other means. Your personal data which are required for our processing activities may vary (according to the cases and characteristics of such processing activities), the types and sources of personal data are as follows:

1) General Personal Data

• Personal identifiable information and contact details such as name title, name, surname, ID card number, passport number, nationality, signature, address, telephone number, fax number, email address.
• Information as appeared on your name card, such as your profession, position, work address.
• Any information received during submission of a proposal for products or services to HITAP, such as your correspondence and communication with HITAP as well as other information you share or disclose to HITAP through HITAP systems and/or devices regardless of the format and means of disclosure, including but not limited to picture, audio, email, conversation and social media.
• Information demonstrating your business representative status, such as guarantor, lender, surety, business management, director, authorized director, shareholder, attorney in fact/agent, sub-agent, personnel, representative, contact person, staff and employee of a legal person who entered or is entering into a transaction with HITAP.
• Information supporting your registration for being a contractor or service provider of HITAP or other information relating to the transactions with HITAP, such as personal data as appeared in the copy of ID card, a copy of name change certificate, house registration, power of attorney, affidavit of a legal person as well as other identity verification/certification document.
• Payment information, such as invoice, receipt, payment voucher, payment channel, account number.
• Information for security, such as motions from CCTV (you will be notified of CCTV in operation within HITAP area and you can learn more from our Privacy Notice for CCTV)
• Information for consideration of your qualification as a contractor or service provider, such as work/service experience, a certification or document certifying your academic background or work skills as required for delivering a service to HITAP.
• Third party information provided by you or as received by HITAP such as the information listed above of a Related Person which you warrant that the third party’s consent has been given for disclosure of their personal data to HITAP, and for HITAP to process their personal data for the purposes as set out in this Privacy Notice.

2) Sensitive Personal Data: HITAP has no intention to collect, use or disclose your sensitive personal data. In case you would not like your sensitive personal data as shown in your identity card, house registration or other documents that you intend to provide to HITAP, such as racial, blood type and religious information, to be processed, and you deliver any documents with the information of such kind to HITAP, whether in hard copy or any other formats, we recommend that you redact such sensitive personal data by crossing them out. However, if you do not redact the sensitive personal data by yourself, it is deemed to have HITAP authorized to redact the sensitive personal data for you; the document with redaction shall be valid and shall have a legal effect so that HITAP may process other personal data in the document according to the Personal Data Protection Act B.E. 2565 (2019). In case HITAP is not able to redact such sensitive personal data for you due to technical or other restrictions, HITAP will collect the personal data as necessary for the purpose of verifying your identity only.

In case HITAP receives your personal data from a third party, contractor and/or other data controller or processor, HITAP, in good faith, believes that such third parties are entitled to process and disclose your personal data to HITAP. Third parties may include but not limited to the followings

• HITAP may receive your personal data from a third party, such as collection of your personal data from a referee who refers you to HITAP, or in some cases, from a public source or any business or commercial source.
• Competent officer or authority, such as Department of Business Development, Ministry of Commerce, Office of Securities and Exchange Commission, Stock Exchange of Thailand
• Other third parties, such as your employer entity, your representative or agent, your employer, your sponsor and any third party who provides a service to you, e.g., a distributor, a third-party agent or any other persons acting on their behalf.

4. Lawful Basis of Collection of Personal Data

HITAP determines the lawful basis for processing of your personal data as appropriate and according to the context of our activities. In this regard, the lawful basis that we rely upon for processing of your personal data include the following:

• It is necessary for performance of a task carried out in the public interest or for the exercising of official authority vested in HITAP.
• It is necessary for compliance with the laws.
• It is necessary for legitimate interest.
• It is necessary for preventing or suppressing a danger to a person’s life, body or health.
• It is necessary for performance of contract.
• It is for preparation of research and statistical documents for public interest.
• Your consent.

In case HITAP is required to collect your personal data for compliance with the laws or as necessary for entering into a contract, and if you deny providing your personal data or object to the processing of your personal data in accordance with the purpose of processing activities, HITAP would not be able to proceed or provide a service, whether in whole or in part, as requested by you. Moreover, it may have an impact on HITAP’s compliance with its legal obligations.

In some cases, HITAP may ask for your personal data for your convenience or to provide a better experience. In such cases, you may decide not to provide the personal data and as such, and it will not affect the core activities that you have with us.

5. Purposes of Processing

HITAP collects and processes your personal data for the purposes set out in this Privacy Notice as follows:

1. For performance of contract or at your request prior to entering into a contract

• Proceeding with your request or requirement prior to/at the time of entering into a contract with HITAP and taking any action for continuity of business of HITAP, such as evaluation of appropriateness, qualification, proposal and quotation.
• Proceeding with your request, approval, contract process as well as administration of contractual relationship between you and HITAP or any arrangement relating to the execution and performance of contract.
• Complying with the contractual obligations that have been made/is being made between you and HITAP, including inspection and acceptance of product or service, relationship administration, audit, or assessment of works as agreed in the purchase order, contract or any other document relating to the procurement process.
• Taking necessary action to complete financial transactions, such as indebtedness, payment of debt, clearing, accounting entry, verification of account number and completing any transaction relating to payment, refund, issuing a receipt or invoice, payment via electronic channel, billing or requesting payment of outstanding debt owed to HITAP as well as other tasks relating to your account as a Contractor or Service Provider of HITAP.
• Analyzing, preparing and performing contractual obligations, contract administration or entering into new contracts at a subsequent time.

2. For compliance with the law

• Complying with domestic and international laws, regulations and rules applicable to HITAP.
• Complying with the order of an officer exercising official authority, such as courts, government authorities, regulators or any competent officers.
• Issuing tax invoices according to the Revenue Code and other related regulations, such as Section 86/4 of Revenue Code and the Announcement of Director-General of the Revenue Department on Value Added Tax (No. 199)

3. For legitimate interest of HITAP or other third parties

• Administration of HITAP, storage of information for report preparation, internal control, carrying out the operation, compliance with HITAP’s policy and procedure, which includes any operation on risk control, security/safety, account audit, finance and account, process and procedure for continuity of HITAP’s operation.
• Procurement and selection of service providers, registration of new service providers, verification of information and qualification of service providers or similar related parties a well as complying with their requests in HITAP’s system, such as rectifying the information of service providers.
• Maintaining, rectifying and keeping the names, name list and business arrangements between HITAP and Service Providers or Contractors up-to-date, including keeping the contracts and related documents in HITAP’s directory.
• Complaint and dispute management, including resolving disputes, establishing legal claims, complying with legal claims, or exercising a right to legal claim or defending legal claims of HITAP in accordance with the procedure as prescribed by law, commencing legal action as well as legal execution.
• Administration of HITAP operation in relation to monitoring, preventing, and verifying fraud, anti-money laundering, terrorism, corruption or other criminal offences, including but not limited to verification on trustworthiness of any person relating to HITAP’s Contractors or Service Providers.
• Keeping a database in connection with interested persons/parties of HITAP and/or using such data to manage relationship or for contact and cooperation relating to HITAP and you.

6. Disclosure of Personal Data

1) HITAP may disclose your personal data, for the specified purposes and as permitted by law, to the following individuals and/or organizations:

• Service providers and data processors assigned or hired by HITAP to manage or process personal data for HITAP to provide its services, including a person acting on HITAP’s behalf or jointly working with HITAP to achieve the purposes as set out in this Privacy Notice, and your personal data being required by such person to complete their task, e.g. information technology services, data storage, payment service or any other services which are beneficial to you or related to HITAP’s operation so long as such disclosure is necessary to achieve HITAP’s purposes.
• HITAP’s consultant, e.g. board/commission of HITAP, legal counsels, accounting consultants as well as other consultant with a specific profession.
• Government officers or authorities lawfully requesting the disclosure of personal data by virtue of law, or any authorities relating to judicial process or as permitted by relevant law, e.g. Revenue Department, Social Security Office, Department of Provincial Administration, Department of Business Development, Department of Intellectual Property, Stock Exchange of Thailand, Personal Data Protection Committee, Office of Trade Competition Commission, Royal Thai Police, Office of the Attorney General, Courts and Legal Execution Department.

2) HITAP will oblige the receiving individuals/organizations to set up appropriate safeguards for your personal data and process such personal data as necessary. HITAP will have agreements with them to prevent your personal data from being used or disclosed without authorization or in violation of data protection law or other relevant law, and it will proceed with the disclosure of your personal data under the purposes as specified in this Privacy Notice or other purposes as permitted by law. If a consent is required, HITAP will obtain your consent prior to the disclosure.

7. Cross-border Transfer of Personal Data

In some cases, HITAP may send or transfer your personal data outside Thailand for the purposes of HITAP’s services and activities. This includes transferring personal data to a cloud server in a foreign country.

However, HITAP will only send or transfer your personal data to a third country with adequate level of data protection, otherwise, HITAP will ensure that appropriate safeguards as required by law are established for your personal data, as well as an agreement being made with the relevant third party to guarantee their compliance with data protection measures as determined by HITAP.

8. Retention period of Personal Data

HITAP will keep your personal data for as long as it is necessary for achieving the purposes of processing in this Privacy Notice. The retention periods are as set out below:

• In case you are a Contractor, Service Provider, Prospective Contractor or Service Provider and any related person, HITAP will keep your personal data as necessary for providing service to you according to the terms specified in the contract, and for another 5 years after termination of the relationship or contract and without any deliverable/payable debt owed to each other.
• In other cases, HITAP will keep your personal data as necessary to perform its duties to achieve the purposes specified in this Privacy Notice. In case it is unable to determine the exact retention period, HITAP will keep your personal data as reasonably expected and in accordance with the standard of retention period (such as up to 10 years as barred by the general prescription). Notwithstanding, in case of legal proceedings, your personal data will be kept until termination of the proceedings, including other necessary action required for achieving such purpose, then your personal data will be removed or kept as permitted by law.

After expiration of the retention period, HITAP will erase, destroy, anonymize or take any other action as required by personal data protection law, to ensure the efficacy of protection of your personal data. However, HITAP may retain certain personal data for a longer period than the above if it is necessary for compliance with the law or the order of government officers or relevant government agencies, and for achieving the purposes as embodied in HITAP’s missions or as permitted by law.

9. Security of Personal Data

HITAP sets up security measures, comprising of both technical and organizational measures for handling your personal data, such as implementing access control measure to allow only staff or individual that are authorized or assigned to use your personal data according to the Privacy Notice. Such people with authorization will have to strictly adhere to and comply with HITAP’s data protection measures, and they will also have an obligation to keep confidentiality of the personal data they became known in the performance of their duties.

Moreover, if HITAP requires your personal data to be sent or transferred to any third party, whether for the purposes of HITAP’s mission, contract, or other form of agreements, HITAP will determine the level of security and confidentiality measures as appropriate and as required by law to ensure your personal data with HITAP is always safe and secure.

10. Data Subject Right According to the Personal Data Protection Act B.E. 2562 (2019)

The Personal Data Protection Act B.E. 2662 (2019) stipulates various rights of data subjects. A data subject or an authorized person, such as a parent or a guardian, is entitled to submit a request to exercise the rights through the channel as set out in Clause 12. The details of the available data subject rights are as follows:

1. Right to be informed: The data subject is entitled to be informed of the purposes and details of collection, use, and disclosure of their personal data through a privacy policy or privacy notice (as the case may be), including any changes to the existing purposes.

2. Right to Access: The data subject is entitled to have access, obtain a copy, or request the disclosure of their personal data collected by HITAP unless HITAP has a justified reason to reject the request as permitted by the law or court order, or in case the exercise of this right may have an adverse effect to the rights and freedom of other individual.

3. Right to Rectification: In the event that the data subject finds that their personal data are not accurate, complete or up-to-date, they are eligible to have their personal data rectified to ensure they are accurate, up-to-date, complete and not misleading, to the extent permitted by relevant law.

4. Right to Erasure: The data subject is entitled to have their personal data erased, destroyed, or anonymized, to the extent allowed by relevant law.

5. Right to Restriction of Processing: The data subject is entitled to restrict their personal data from being processed in the following cases:

• when the request to rectify your personal data for accuracy, completeness and being up-to-date (Right to Rectification) is under review by HITAP;
• when HITAP unlawfully processes your personal data;
• when their personal data is no longer necessary for HITAP, but the data subject requests HITAP to keep their personal data in support of their legal claim, such as establishment or defense of a legal claim; and
• when HITAP is in the process of verifying your objection request (Right to Object).

6. Right to Object: The data subject is entitled to object to the collection, use or disclosure of personal data relating to them in case HITAP relies upon legitimate interest, or processes their personal data for the scientific or historical research, or statistical purposes, unless HITAP has a legally justified reason to reject the request (such as HITAP is able to demonstrate that there is a compelling, legitimate ground for the collection, use and disclosure, or it is necessary for establishment, compliance or exercise of legal claims or it is for the public interest).

7. Right to Withdraw Consent: In case where the data subject gives consent to HITAP for collection, use or disclosure of personal data (whether such consent has been given before or after the effective date of the Personal Data Protection Act B.E. 2562 (2019)), the data subject is entitled to withdraw their consent at any time throughout the period where their personal data is being kept by HITAP unless there is any restriction by law that permits HITAP to continue retaining the personal data, or there is a contract between the data subject and HITAP. The withdrawal of consent will not affect the lawfulness of the collection, use, or disclosure of your personal data based on your consent before it was withdrawn.

8. Right to Data Portability: The data subject is entitled to receive their personal data being processed by HITAP in a readable and commonly used, by automated devices or equipment, and can be used or disclosed by automated means. Moreover, the data subject may request their personal data in such format be sent to other data controller, subject to the conditions in the law.

9. Right to File a Complaint: The data subject is entitled to make a complaint to HITAP for investigation, clarification, or resolution of their concerns, including filing a complaint to the Personal Data Protection Commission if the processing of personal data by HITAP is in violation of the personal data protection law.

In case the data subject submits the request to exercise their rights under the Act, upon the receipt of the request, HITAP will proceed with the request within 30 days. HITAP reserves its right to reject or refuse to comply with the request and its right to extend the request respond timeline, including charging a fee if permitted by law.

11. Amendment to the Privacy Notice

HITAP may consider updating, amending, or making changes to the Privacy Notice from time to time to be in line with its internal practice and the data protection law. HITAP will notify you of the changes via HITAP’s website.

12. Contact Details for Enquiry or Exercise of Rights

If there is any enquiry, suggestion, or concern regarding this Privacy Notice or HITAP’s collection, use and disclosure of personal data, or if you would like to exercise your rights under the personal data protection law, please contact us at:

Health Intervention and Technology Assessment Program Foundation

6th Floor, 6th Building, Department of Health, Ministry of Public Health,

Tiwanon Rd., Muang, Nonthaburi 11000

Tel.: 02-590-4549, 02-590-4374-5 or email:  [email protected]

You can download the Data Subject Right Request Form here

Effective on 1^st June 2022

——

Related Privacy Notice(s) and document(s)

Privacy Policy

Privacy Notice for Job Applicants and Employees

Privacy Notice for CCTV

Privacy Notice for Events

Cookie Policy

Privacy Notice for Website Users

Data Subject Right Request Form