IHH MY PERSONAL DATA PROTECTION NOTICE
Revised on 15th November 2023 (“Effective Date”)
- Introduction
This IHH MY Personal Data Protection Notice (“Notice”) belongs to and is adopted collectively by IHH Healthcare Malaysia[1] (“IHH MY”, “we”, “us”, “our”, or “company”).
1.1 We are committed to protecting the personal data of individuals or Data Subject’s[2] (“your”, “you” and “yours”) responsibly and in compliance with relevant data protection laws.
1.2 This Notice addresses how we Process[3] your personal data when you interact with us.
1.3 This Notice may be updated or supplemented to meet local requirements or to provide you additional information. We strongly encourage that you carefully review this Notice.
1.4 This Notice may also be found on either of the following webpage: https://www.ttmc.com.my/pdpnotice
- Your Personal Data
2.1 For purposes of this Notice, Personal Data means any information or combination of information, relating, directly or indirectly to an identified or identifiable natural person.
2.2 Depending on the nature of your interaction with us, Personal Data may include your name, identification number, passport number, telephone number(s), mailing address, email address, network traffic data, online identifiers and/or any other information which have been provided to us or we may have access to, in the course of your interaction with us.
2.3 We may Process certain Personal Data about your Relatives[4] but only when there is a legitimate business purpose related to your relationship with us, for instance, to administer employee benefits or in case of an emergency.
2.4 For certain reasons, it may be necessary for us to Process special categories of Personal Data (including “sensitive” Personal Data) (“Sensitive Personal Data”). We only Process Sensitive Personal Data where it is required or authorised under the law (employment, social security, social protection or other applicable data protection related laws), or in case of legal claims. Sensitive Personal Data may include religious or philosophical beliefs, information about disabilities, medical history, racial or ethnic data and/or criminal data (behavior, records or proceedings regarding criminal or unlawful behavior).
For more details on Personal Data which may be collected, please refer to Appendix 1.
- How do we collect your Personal Data?
We collect Personal Data from you in the following ways:
3.1 Directly:
a) when you create an account, register with us and/or submit any form to provide us or benefit from our services;
b) when you disclose Personal Data in face-to-face meetings, email messages, telephone conversations with our teams such as marketing or customer service officers;
c) when you volunteer and consent to participate in any research conducted by us;
d) when you sign up for our marketing and promotional communications and/or any initiatives;
e) when you give your feedback, comments, questions, ratings and reviews on our website, social media or to our customer service officers;
f) when you interact or communicate with us via our websites or on social media channels, pages, promotions and/or blogs;
g) when you contact us and/or enter into an agreement to provide us services;
h) when you visit and/or are within our premises and your images are captured by us via CCTV cameras, photographs or videos taken by us or our representatives when you attend any of our events;
i) when you submit an employment application; and/or
j) when you make available your Personal Data to us for any other reason.
3.2 Indirectly, from other data sources:
a) when we seek and receive your Personal Data in connection with your relationship with us (including for our product and services or job applications). Example: business partners, public agencies, your ex-employer, referral intermediaries and the relevant authorities;
b) if you act as an intermediary or are supplying us with information regarding a third-party/other individual (such as a Relative, friend, a colleague, an employee etc.), you undertake that you have obtained all necessary consents from such third-party/other individual for Processing of their Personal Data by us;
c) as we are collecting third-party or other individual’s Personal Data from you, you undertake to make such third-party or other individual aware of all matters listed in this Notice by referring them to our website or informing them of the contents of this Notice; and/or
d) any other information which we may collect from other sources.
3.3 Personal Data of Vulnerable Persons[5]
a) It is, our intention and policy to comply with law when it requires parent, guardian or legal representative’s permission before collecting, using or disclosing Personal Data of Vulnerable Persons.
b) If a parent, guardian or legal representative becomes aware that Personal Data of a child or ward has been provided by that child or ward without the consent of the relevant parent, guardian or legal representative, please contact us (contact details provided below). Such Personal Data will be disposed of from our records.
- What are the purposes for which Personal Data is collected and Processed?
Personal Data shall be collected, used, transferred or otherwise Processed for one or more of the following purposes:
4.1 Business Purposes: These are legitimate purposes as appropriate to conduct our business. These purposes address Processing of Personal Data necessary for activities such as:
a) conclusion and execution of agreements with Data Subjects;
b) marketing, sales, and promotions;
c) account management of Data Subjects;
d) customer service and support;
e) finance and accounting;
f) research and development, for instance, analytics to provide better products and services;
g) purchasing/availing of our services;
h) internal management, communications and controls;
i) management of investor relations;
j) external communications, interactions with authorised service providers. Our authorised service providers may use cookies, web beacons, and other similar technologies for collecting and storing information to help provide you with a better, faster, and safer web experience;
k) government and legal affairs;
l) alliances, ventures, mergers, acquisitions, and divestitures;
m) Intellectual property and standards management; and/or
n) any other activity that is reasonably connected to the foregoing.
4.2 Human resources and personnel management: This includes Processing necessary for the performance of an employment or other contract with an employee (or to take necessary steps at the request of an employee prior to entering into a contract), or for managing the employment-at-will relationship, e.g. management and administration of recruiting and outplacement, compensation and benefits, payments, tax issues, career and talent development, performance evaluations, training, travel and expenses, and employee communications;
4.3 Business process execution and internal management: This includes Processing necessary for activities such as scheduling work, recording time, managing company assets, conducting internal audits and investigations, implementing business controls, managing and using customer database/employee directories;
4.4 Health, safety and security: Activities such as those involving occupational safety and health, the protection of our assets, your verification and your access rights and it’s status;
4.5 Organisational analysis and development and management reporting: Conducting surveys, managing mergers, acquisitions and divestitures, and Processing data for management reporting and analysis;
4.6 Compliance with legal obligations: For Processing necessary for compliance with a legal obligation to which we are subject;
4.7 Vital interests: For Processing necessary to protect your vital interests, for instance, situations that require us to protect your life or you from harm;
4.8 Sensitive Personal Data: Sensitive Personal Data may be Processed under one or more of the following circumstances:
a) where you have explicitly consented to the Processing;
b) where Sensitive Data are Processed in connection with the purchase of our service;
c) where you voluntarily participate in a research project or product test;
d) as required by or allowed under applicable data protection related laws;
e) to establish, exercise or defend a legal claim;
f) with regard to racial or ethnic data: to safeguard our assets, for site access and security reasons, and for the authentication/verification of your access rights, we may Process photos and video images (in some countries photo and video images of individuals qualify as racial or ethnic data);
g) to prevent, detect or prosecute (including cooperating with public authorities) suspected fraud, contract breaches, violations of law, or other breaches of the terms of access to our sites or assets;
h) to protect your vital interest, but only where it is impossible to obtain your consent first; and/or
i) where necessary to comply with an obligation of international public law (e.g. Treaties).
4.9 Direct Marketing:
We may, when Processing Personal Data for making direct marketing communications, either:
a) obtain your consent; and/or
b) offer you opportunity to choose not to receive such communications.
In every subsequent direct marketing communication that is made to you, you shall be offered the opportunity to opt-out of further marketing communication.
If you object to receiving marketing communications from us, or withdraw consent to receive such materials, we will take steps to refrain from sending further marketing materials as specifically requested you. We will do so within the time-period required by applicable data protection related laws;
4.10 Secondary Purposes: Processing of Personal Data (including previously collected data) for secondary purposes such as:
a) Maintaining the security of the Personal Data Processed;
b) transferring the Personal Data to an Archive;
c) conducting internal audits or investigations;
d) implementing business controls;
e) conducting statistical, historical or scientific research as required for our business operations;
f) preparing or engaging in dispute resolution;
g) using legal or business consulting services;
h) managing insurance or other benefits related issues; and/or
i) creating de-identified, aggregated and/or anonymised data from Personal Data from which relevant Data Subjects would not be identifiable, through removal of identifiable components, obfuscation, pseudonymisation, anonymisation, or any other means for purposes including, but not limited to (a) enhancing security; and/or (b) for further processing, aggregation, analysis (of the anonymised data that no longer contains your Personal Data only), for optimisation of patient care and improvement of healthcare services, products and research and developments which may include transferring such anonymised data to our affiliates and business partners in Malaysia or abroad, for such purposes.
4.11 Any other purpose necessary to fulfil or achieve any other purposes stated in this Notice.
For more details on purposes for which Personal Data is Processed, please refer to Appendix 2.
4.12 Exceptions: Some of our obligations under this Notice may be overridden if, under the specific circumstances at issue, a pressing legitimate need exists that outweighs your interest. Such a situation exists if there is a need to:
a) protect our Business Interests including:
i. the health, security or safety of individuals;
ii. our intellectual property rights, trade secrets or reputation;
iii. the continuity of our business operations;
iv. the preservation of confidentiality in a proposed sale;
v. merger or acquisition of a business; and/or
vi. the involvement of authorised advisors or consultants for business, legal, tax, or insurance purposes.
b) prevent or investigate suspected or actual violations of
i. law (including cooperating with law enforcement);
ii. contracts; and/or
iii. or our policies.
c) otherwise protect or defend us, our personnel’s or other individual’s rights or freedoms.
- Automated decision-making
5.1 Automated tools may be used by us to Process your Personal Data and/or make decisions about you. Some extent of human intervention may be involved in the automated decision-making.
5.2 Where permissible under law, we may undertake automated decision-making if:
a) the decision is made by us for purposes of entering or performing a contract provided that the underlying request leading to a decision by us was made by you;
b) you have provided explicit consent; and/or
c) the use of automated tools is otherwise required.
5.3 We are mindful of safeguarding your rights and legitimate interests. To request a manual decision-making process, express your opinion or contest our decision based on automated processing, including profiling, please contact us (contact details provided below).
- Sharing your Personal Data with others
6.1 Your Personal Data may be shared with our Affiliates and the healthcare professional.
6.2 Access to Personal Data, will be limited to those who have a need to know the information for the purposes described in this Notice.
6.3 From time to time, we may need to share your Personal Data with authorised external parties, which may include the following:
a) service providers, vendors, suppliers:we contract with authorised external parties or companies that provide products and services to us such as information technology security and support, customer survey, debt recovery, payroll and employee expense support, and benefits and rewards administration;
b) public and governmental authorities:when required by law, or as necessary to protect our rights, we may share your Personal Data to public and governmental authorities that regulate or have jurisdiction over us;
c) professional advisors and others:we work with and receive support from certain professional advisors such as banks, insurance companies, auditors, lawyers, accountants, and payroll advisors; and/or
d) other parties in connection with corporate transactions:we may also, from time to time, share your Personal Data in the course of corporate transactions, such as during a sale of a business or a part of a business to another company, or any reorganisation, merger, joint venture, or other disposition of our business, assets, or stock.
6.4 As appropriate, we will contractually protect and safeguard your interests at a similar level of protection as provided by us.
- Cross-border transfer of Personal Data
7.1 Due to our international presence, your Personal Data may be transferred to or accessed by our Affiliates and authorised external parties from various countries around the world in order for us fulfil the purposes described in this Notice.
7.2 As a result, we may transfer your Personal Data to countries located outside of your country of residence, which may have data protection related laws and rules that are different from those of your country of residence.
7.3 Personal Data may be transferred to an authorised external party, located internationally only if, we believe it is necessary or appropriate to:
a) ensure compliance with applicable data protection related laws which may include responding to requests from public and government authorities, cooperation with law enforcement agencies or other legal reasons; and/or
b) satisfy purposes for which Personal Data has been collected by us or to enforce our terms and conditions.
- When do we retain your Personal Data?
8.1 We keep your Personal Data as long as we need to fulfil the purposes for which it has been collected. We retain Personal Data only:
a) for the period required to serve applicable Business Purpose;
b) to the extent necessary to comply with an applicable legal requirement; and/or
c) as advised by local laws.
8.2 Promptly after applicable retention period has ended, your Personal Data will be appropriately:
a) disposed;
b) de-identified (through removal of identifiable components, obfuscation, pseudonymisation, anonymisation, or any other means); and/or
c) transferred to an archive (unless this is prohibited by applicable data protection related law).
- How do we protect your Personal Data?
9.1 We are committed to maintaining the security of the Personal Data Processed and restrict the Processing of Personal Data to those data/information that are reasonable, adequate for, and/or relevant to applicable Business Purpose.
9.2 To protect your Personal Data, we take appropriate measures, and we also require our external parties to protect the confidentiality and security of your Personal Data. Depending on the state of the art, the costs of implementation and the nature of the data/information to be protected, we have put in place physical, technical and organisational measures to prevent risks such as destruction, loss, misuse, alteration, and unauthorised disclosure of or access to your Personal Data.
9.3 If you have any reason to believe that your interaction with us is no longer secure, please contact us (contact details provided below).
- How can you contact us for choices available to you?
10.1 We strive to maintain your Personal Data in a manner that is accurate, complete and up-to-date. Personal Data you provide us with must be accurate, complete and up-to-date, and you must inform us of any significant changes to your Personal Data.
10.2 Furthermore, if you share Personal Data of other people with us (including your Relatives) please note that you need to ensure that this Personal Data is collected in compliance with applicable data protection related laws. For example, you should inform such other people about contents of this Notice.
10.3 With respect to Processing of your Personal Data, you may:
a) obtain information on the Processing of your Personal Data;
b) ask questions about how we handle Personal Data;
c) request to review, correct, update, supress, or restrict the use of your Personal Data;
d) request your Personal Data to be removed;
e) withdraw your consent to use of your Personal Data;
f) object to the use of Personal Data for our legitimate business interests; and/or
g) request to receive an electronic copy of your Personal Data for purposes of transferring it to another company.
10.4 If you have any inquiries, requests or comments in relation to this Notice, please contact the Data Protection Office via the following channels:
-
- Email: my.ihh.dpo@ihhhealthcare.com
-
- Written communication mailed to:
Data Protection Officer, IHH Healthcare Malaysia Pantai Medical Centre Sdn Bhd, Level 6, Block A, Pantai Hospital Kuala Lumpur, 8, Jalan Bukit Pantai, 59100, Kuala Lumpur
10.5 We will do our best to address your requests and concerns within reasonable time. Upon receipt of your request, we may ask you to verify your identity before we can act on your request.
- Updates to Notice
11.1 We may revise this Notice from time to time. Any changes will become effective as on the Effective Date, when we post the revised Notice on our website. You are strongly advised to review this Notice periodically for any changes.
11.2 The English language version of this notice shall prevail in the event of any inconsistencies with any translated versions.
APPENDIX 1: PERSONAL DATA WHICH MAY BE COLLECTED
Categories of Personal Data | Examples of types of Personal Data we collect |
Personal identification, demographic, and contact information | Name, surname, title, gender, country, date and place of birth, nationality, marital status, domestic partners, dependents, email address, phone number, mobile number, home address, emergency contact information. |
Network traffic and other related data | Identification numbers, location data, online identifiers, IP address, cookies, web beacons, device identification details, language settings. |
Account creation and login information | Login details (including password), existing and/or previous employee or contractor or supplier identification details, other information used to access and/or secure our systems and applications. |
Images and/or videos from which you may be identified, images captured on security systems, including CCTV and key card entry systems. | Pictures uploaded into our accounts, social media or services otherwise provided to us by you, CCTV images, log files. |
Compensation and payroll | Bank account information, salary, bonus, payroll deductions including direct insurance. |
Job, position, and organisation data | Department, supervisor, office address, work location, permit details, hire date, job title, designation, business unit, part-time or full time position, work history, termination date and reason, retirement eligibility, promotions and disciplinary records, date of transfers, reporting manager(s), other details of employment contract. |
Performance and benefits data | Performance reviews and ratings, incentives, awards, retirement, benefits data of family members/dependents such as names and date of birth. |
Data resulting from internal or external communications | Contents of email, records of communication through bots, messaging tools, mobile communications. |
Tax Data | Tax number, contribution rates, tax preferences, social security number. |
Information that you decide to voluntarily share with us | Feedback, opinions, reviews, comments, any information you may share with us on our social media platform, internal communication platforms and websites. |
Special categories of Personal Data
|
This may include:
· Religious or philosophical beliefs; · Medical history and information about disabilities to the extent relevant to provide services, benefits and/or perform a contract; · Racial or ethnic data: for instance, where this would show from pictures, photographs and other visual images, but also where such data is processed for diversity related purposes; · Criminal data such as data relating to criminal behavior, criminal records or proceedings regarding criminal or unlawful behavior. |
APPENDIX 2: PURPOSES FOR WHICH PERSONAL DATA IS PROCESSED
Purposes for Processing Personal Data | Examples |
Administration and management | Management of relationship, management and administration of outplacement, eligibility for employment, initial hiring or rehiring, leave and other absences, management of compensation and benefits (including pensions and/or shares), management of tax issues, performance evaluations, providing and verifying employment references, loans, performing workforce analysis and planning, performing background checks, managing disciplinary matters, grievances and terminations, making business travel arrangements, managing business expenses and reimbursements, creating and maintaining one or more internal employee directories. |
Business process execution and internal operations management | Internal communications, scheduling work, recording time, managing and allocating company and employee assets and human resources, managing career and talent development, performing internal surveys, ensuring business continuity and crisis management, improving employees’ and teams’ performance, managing courses and/or trainings, managing projects and costs, managing mergers, acquisitions, divestitures, re-organisations or disposals and integration with purchaser, compilation of audit trails and other reporting tools, maintaining records relating to business activities, budgeting, financial management and reporting. |
Employee/Customer support | Providing support via internal tools and communication channels, |
Commercial communications | Communications about discounts for services |
Security and protection of assets and employees | Deploying and maintaining technical and organisational security measures, conducting internal audits and investigations, conducting assessments to verify conflict of interests, identifying and authenticating employees, managing network security and preventing data loss using automated technologies to identify malicious data on equipment or networks and to detect confidential information from leaving our perimeters or from unauthorised access to that information. Recording of your Personal Data through video or other digital, electronic, or wireless surveillance system or device to secure and maintain IT infrastructure, office equipment, facilities and other property. |
Compliance with legal and regulatory obligations | Disclosing Personal Data to government institutions or supervisory authorities as required by law or judicial authorisation for complying with tax and national insurance deductions, record-keeping and reporting obligations, conducting audits and investigations to prevent or detect fraud or corruption, compliance with government inspections and other requests from government or other public authorities, responding to legal process conducting investigations including employee reporting of allegations of wrongdoing, policy violations, fraud, or financial reporting concerns, complying with internal policies and procedures. Please also keep in mind that we may also use your data for security reasons and/or to protect our legitimate business interests or to prevent or investigate suspected or actual violations of law, breaches of the terms of employment or non-compliance with our policies. |
Defence of legal claims | Establishment, exercise or defence of legal claims to which we are subject, such as responding to legal processes such as subpoenas, pursuing legal rights and remedies, defending litigation and managing any internal complaints or claims (including any whistle-blower/ethics hotlines). |
Health and safety | Protecting your and others’ health and safety, facilitating communication with you and your designated contacts in an emergency or during your business travel. |
Enhanced security and further processing for improved services | Creation of de-identified and/or anonymised data from your Personal Data (by removal of identifiable components, obfuscation, anonymisation, or any other means) to enhance security and for further processing, aggregation, analysis for optimisation of patient care and improvement of healthcare services, products, research and development which may include transferring anonymised data to our affiliates and business partners in foreign countries. |
[1]IHH Healthcare Malaysia is a network of companies operating within Malaysia (as part of the group of entities under the ultimate holding company, IHH Healthcare Berhad) including without limitation Pantai Holdings Sdn Bhd and its Affiliates. “Affiliates” is any entity that controls, is controlled by, or is under common control, in each case either directly or indirectly with either a subsidiary or related corporation of the Group, where “control” means the ownership of or the power to vote representing more than 50% of voting stock, shares or interests of the entity.
[2] “Data Subjects” are entities and individuals including our employees, job applicants, clients, customers, business partners, personnel, contractors, suppliers and other individuals
[3] “Process” (including references to “Processing” and “Processed”) is any operation or set of operations performed on the Personal Data including, but not limited to, collection, storage, use, disclosure, transfer or destruction.
[4] “Relatives” include spouses, next of kin, dependents, children, and partners.
[5] “Vulnerable Person” are persons deemed more vulnerable by applicable laws and regulations, and includes, but is not limited to, minors, elderly, persons with disabilities, and persons with diminished mental capacity.