avatar
Eagle Eye CenterEagle Eye Center
WhatsApp us

PERSONAL DATA PROTECTION POLICY (Effective 25th March 2022)

1. PURPOSE

This Policy describes the policies and procedures of Eagle Eye Centre Pte. Ltd. and its subsidiary companies in Singapore (the “Company”) on the collection, use, process and disclosure of personal data by the Company in compliance with the requirements of the Personal Data Protection Act 2012 of Singapore, as revised from time to time (“PDPA”) and any other relevant legislations, regulations and policies which may be amended from time to time.

2. SCOPE

This Policy describes how personal data must be collected, used, processed, handled, stored and disclosed in order to meet the Company’s data protection standards and obligations under the PDPA. Examples of personal data which the Company may collect, use, process ,handle, store and disclose include personal data relating to customers, patients, suppliers, business contacts, medical/dental practitioners (“RMP”), employees, independent contractors, agents and other people with whom the Company has a relationship with or may need to contact.
For the purposes of this Policy, “Staff” refers to all employees of the Company and where applicable, all individuals contracted and/or sub-contracted to complete works on behalf of the Company.

3. DEFINITIONS AND REQUIREMENTS UNDER THE PDPA

The Personal Data Protection Act 2012 (PDPA) describes how organisations collect, use, process, store and disclose personal data. Personal data is defined under the PDPA to mean any data, whether true or not, about an individual who can be identified (a) from that data; or (b) from that data and other information to which the organisation has or is likely to have access to, including data in the Company’s records as may be updated from time to time.

The PDPA applies regardless of whether data is stored electronically, on paper or in other formats.

In general, the Company can only collect, use, process or disclose the personal data of an individual with the individual’s consent, and for a reasonable purpose which the organisation has made known to the individual. The Company is also required to provide individuals with access to their personal data and consider requests to correct personal data in the Company’s possession or under the Company’s control. For care of personal data, the PDPA sets out obligations in relation to the accuracy of personal data, the protection and retention of personal data, and the transfer of personal data out of Singapore

Further details of specific key obligations are set out below:

  • Personal data must be collected, used or disclosed only for purposes which would be considered appropriate by a reasonable person in the circumstances, and if applicable, have been notified to the individual concerned.
  • Individuals must be notified of the purposes for the collection, use, process or disclosure of their personal data, prior to such collection, use or disclosure.
  • The consent of the relevant individual must be obtained for any collection, use, process or disclosure of their personal data, unless exceptions apply. The Company must allow the withdrawal of consent which has been given or deemed to be given.
  • When requested, the Company must: (i) provide individuals with their personal data in the possession or under the control of the Company and information about the ways in which the personal data may have been used or disclosed during the past year; and (ii) correct an error or omission in an individual’s personal data that is in the possession or under the control of the Company.
  • The Company must use reasonable efforts to ensure that personal data is accurate and complete if such data is used to make a decision affecting the individual or if such data will be disclosed to another organisation.
  • The Company must implement reasonable security arrangements for personal data.
  • The Company must not keep personal data for longer than it is necessary to fulfil: (i) the purposes for which it was collected; or (ii) a legal or business purpose; or (iii)any regulatory or legal requirements.
  • Personal data may be transferred outside Singapore only when needed for the Company to duly perform agreed services and fulfill its contractual obligations. In such case, the Company shall ensure that the recipient organisation is obliged to comply with a standard of protection which is comparable to the protection required under the PDPA and in accordance with the requirements prescribed therein.
  • The Company must implement the necessary policies and procedures in order to meet the obligations under the PDPA and shall make information about its policies and procedures publicly available.

4. RESPONSIBILITIES

A person designated by the Chief Executive Officer of the Company shall undertake the role of Data Protection Officer (“DPO”) for the Company.

The DPO shall be responsible for advising the Company on this Policy and any other associated processes. Management staff including Senior Management and Heads of Department are responsible for implementation of this Policy and associated processes. All staff must adhere to this Policy.

5. PROCEDURE

5.1 All employees are to safeguard personal data collected in the course of business.

5.2 Any employee found to have willfully violated this Policy may be subject to disciplinary action, including termination of employment.

5.3 Policies and Guidelines

5.3.1. Purposes for Collection, Use, Disclosure and Processing of Personal Data

Please refer to “Eagle Eye Centre Pte Ltd Data Privacy Notice” as uploaded in the relevant Eagle Eye Centre Pte Ltd’s entities’ websites for the details of purposes for collection, use, disclosure and processing of personal data. In addition to “Eagle Eye Centre Pte Ltd Data Privacy Notice”
as uploaded in the relevant Eagle Eye Centre Pte Ltd’s entities’websites, personal data may be collected, used, disclosed and/ or processed by the Company for various purposes, depending on the circumstances. Such purposes may include but not limited to the following:

(a) providing data to the Company’s stakeholders and related/ associated entities, in the event that a patient wishes to be referred/transferred to either Mahkota Medical Centre or Regency Specialist Hospital for medical procedures with the Medisave programme or when patient information is shared between Starmed Specialist Centre’s contact center, Eagle Eye Aesthetics and OneCare GP clinics for referral purposes as agreed between Starmed Specialist Centre and OneCare;

(b) administering, managing and/or providing services tocustomers either directly through the Company’s employees, the Company’s associated companies’ independent contractors or indirectly by referral to other medical clinics or institutions;

(c) carrying out instructions or responding to any enquiries;

(d) carrying out due diligence or other screening activities (including background checks) in accordance with legal or regulatory obligations or risk management procedures;

(e) dealing in any matters relating to the services and/or products which customers have been prescribed to undertake;

(f) complying with applicable law in administering and managing claims; and

(g) any other purposes for which the Company will notify the customer and obtain consent for, prior to the collection, use and disclosure of the customer’s personal data for that purpose. Such purposes shall include those specified in the privacy policies set out in the Appendix of this Policy. Above item (a) to (g) are collectively known as “Purposes”. In order to conduct its day-to-day business operations, the Company may also disclose personal data to third-party service providers, agents and/or its affiliates or related medical clinics, and/or other third parties, whether located in or outside of Singapore, for one or more of the above-stated Purposes. Such third-party service providers, agents and/or affiliates or related medical clinics and/or other third parties will be processing personal data either on the Company’s behalf or otherwise, for one or more of the above-stated Purposes.

5.3.2. Specific Issues for the Disclosure of Personal Data to Third Parties

Below are scenarios where disclosure of personal data to third parties are permitted under the PDPA:

  • cases in which the disclosure is required or authorised based on the applicable laws and/or regulations;
  • cases in which the purpose of such disclosure is to carry out the Company’s responsibilities and deliverables; cases in which the disclosure is necessary to respond to an emergency that threatens the life, health or safety of yourself or another individual;
  • cases in which the disclosure is necessary for medical processes or advice to be provided to you; cases in which the personal data is disclosed to any officer of a prescribed law enforcement agency, upon production of written authorisation signed by the head or director of that law
  • enforcement agency or a person of a similar rank, certifying
  • that the personal data is necessary for the purposes of the
  • functions or duties of the officer; or cases in which the disclosure is to a public agency and such disclosure is necessary in the public interest; and / or where such disclosure without customer’s’ consent is permitted by
  • the PDPA or bylaw.

 

5.3.3. Request for Access and / or Correction of Personal Data

Customers may request access to personal data about themselves that is in the Company’s possession or under the

  • Company’s control. Such access requests may be subject to the approval of the individual’s insurer or employer. The Company shall seek the approval for the release of such personal data with the affected insurer or employer and respond to the individual’s request within 21 days. Such requests for access to personal data may be chargeable on a discretionary basis as permitted by the relevant applicable personal data protection laws.

 

  • Customers may access and / or correct personal data about themselves currently in the Company’s possession or under the Company’s control by submitting a request in writing to: Data Protection Officer Eagle Eye Centre Pte. Ltd. 159 Sin Ming Road, #05-07 Lobby 2 Amtech Building, Singapore 575625 Telephone: +65 64561000 

Email: email@eagleeyecentre.com.sg

  • The Company shall provide the relevant personal data within a reasonable time from such a request being received. Any request should be complied with within 21 days from the date of receipt of the request. In the event that the request cannot be complied with within 21 days, a notice must be submitted to the requestor explaining why this request cannot be complied with within the prescribed timeframe and that the request will be complied with to the extent that the Company is able to do so. Any request received must be resolved in whole not later than 14 days after the expiration of the 21-day period.
  • For a request to correct personal data, the Company shall:
  • liaise with individual’s insurer or employer (if under the Medical Service Arrangement) to seek approval to correct the individual’s personal data as soon as practicable, and after the relevant approval has been obtained, to correct the customer’s personal data as soon as practicable;
  • send the corrected personal data to every other organisation to which the personal data was disclosed by the Company within a year before the date the correction was made, unless that other organisation does not need the corrected personal data for any legal or business purpose; 
  • notwithstanding the above, the Company may, with the customers’ consent, send the corrected personal data only to specific organisations to which the personal data was disclosed within a year before the date the correction was made. 
  • An administration fee will be charged for the handling and processing of requests to access personal data. A written estimate of the fee will be sent to the customer, and the Company is not required to respond to or deal with access requests unless the customer agrees to pay the fee.

 

5.3.4. Request to Withdraw Consent

Customers may at any time withdraw consent for the collection, use and / or disclosure of personal data in the

  • Company’s possession or under the Company’s control by submitting a request in writing to: Data Protection Officer Eagle Eye Centre Pte Ltd 159 Sin Ming Road, #05-07, Lobby 2 Amtech Building, Singapore 575625 Telephone: +65 64561000 
  • Email: email@eagleeyecentre.com.sg 
  • Upon receiving a customer’s request regarding his withdrawal of consent, the Company shall liaise with customer’s insurer or employer (if under the Medical Service Arrangement) to review the request for withdrawal, and upon the grant of the relevant approvals, the Company will thereafter not collect, use and / or disclose personal data in the manner stated in the customer’s request unless such collection, use or disclosure of the personal data is required or authorised under PDPA or other written law.

 

5.3.5. Administration and Management of Personal Data

  • The Company shall take reasonable efforts to ensure that personal data is accurate and complete, if personal data is likely to be used by the Company to make a decision that affects customers or disclosed to another organisation. Customers shall update the Company of any changes to his/her personal data since the time it was first provided to the Company. The Company shall not be responsible for relying on inaccurate or incomplete personal data arising from the customer’s failure to update the Company of any changes in his personal data since the time the personal data was first provided to the Company.

 

  • The Company shall put in place reasonable security arrangements to ensure that personal data is adequately protected and secured. Appropriate security arrangements will be taken to prevent any unauthorised access, collection, use, disclosure, copying, modification, leakage, loss, damage and/or alteration of personal data. However, as far as permitted by the laws of Singapore, the Company will not assume responsibility for any unauthorised use of customers’ personal data by third parties which are wholly attributable to factors beyond the Company’s control.

 

  • The Company shall retain personal data in accordance with legal, regulatory, business and operational obligations.

 

  • Where personal data is to be transferred out of Singapore, the Company shall comply with the PDPA before making any such transfers. Unless an exception under the PDPA applies, this may include us entering into an appropriate contract with the foreign recipient organisation in relation to the transfer.

 

  • Retention of Personal Data: The Company will cease to retain personal data, as soon as it is reasonable to assume that the purpose for collection of such personal data is no longer being served by such retention, and such retention is no longer necessary for legal or business purposes. In relation to this, the Company will retain personal data relating to claim records for a period as deemed necessary for legal requirements by authorities.

 

  • Website Cookies Whenever registered members visit the Company’s website, data may be logged to measure website performance and forthe purposes of assisting with the resolution of any technicaldifficulties. In line with the latest security measures, theSession ID shall be purged after each session.

 

  • Good Email Practices: Whenever possible, common email groups shall be created so that Staff would avoid typing of individual email address (as this may inadvertently result in data leaks if the email address is typed incorrectly). All emails (including the recipients and attachments) shall be reviewed thoroughly before sending out.

 

  • Prohibition of Screenshots of Personal Data: Staff are prohibited from taking screenshots of personal data and information in the email body. If staff receive and/or have possession of screenshots, these must be deleted and disposed of, as soon as practicable. Encryption of Attachments All attachments in emails containing personal data and information sent out have to be encrypted with a password, and this password will be shared with the recipient organisation in order to access the attachment.

 

  • Transfer of Personal Data outside Singapore Personal data may be transferred outside Singapore only when needed for the Company to duly perform agreed services and fulfill its contractual obligations. In such case, the Company shall ensure that the recipient organisation is obliged to comply with a standard of protection which is comparable to the protection required under the PDPA and in accordance with the requirements prescribed therein.

 

5.3.6. Complaint Process

Complaints or grievances regarding the handling of customer personal data can be made by contacting the Company via:

Data Protection Officer
Eagle Eye Centre Pte Ltd