PDPA

PERSONAL DATA PROTECTION POLICY
(Effective 25th March 2022)

1. PURPOSE

This Policy describes the policies and procedures of Eagle Eye Centre
Pte. Ltd. and its subsidiary companies in Singapore (the “Company”)
on the collection, use, process and disclosure of personal data by the
Company in compliance with the requirements of the Personal Data
Protection Act 2012 of Singapore, as revised from time to time (“PDPA”) and any
other relevant legislations, regulations and policies which may be amended from
time to time.

2. SCOPE

This Policy describes how personal data must be collected, used, processed,
handled, stored and disclosed in order to meet the Company’s data protection
standards and obligations under the PDPA. Examples of personal data which
the Company may collect, use, process ,handle, store and disclose include
personal data relating to customers, patients, suppliers, business contacts,
medical/dental practitioners (“RMP”), employees, independent contractors,
agents and other people with whom the Company has a relationship with or may
need to contact.
For the purposes of this Policy, “Staff” refers to all employees of the Company
and where applicable, all individuals contracted and/or sub-contracted to
complete works on behalf of the Company.

3. DEFINITIONS AND REQUIREMENTS UNDER THE PDPA

The Personal Data Protection Act 2012 (PDPA) describes how organisations
collect, use, process, store and disclose personal data. Personal data is defined
under the PDPA to mean any data, whether true or not, about an individual who
can be identified (a) from that data; or (b) from that data and other information
to which the organisation has or is likely to have access to, including data in the
Company’s records as may be updated from time to time.

The PDPA applies regardless of whether data is stored electronically, on paper or in other
formats.

In general, the Company can only collect, use, process or disclose the personal data of an
individual with the individual’s consent, and for a reasonable purpose which the organisation
has made known to the individual. The Company is also required to provide individuals with
access to their personal data and consider requests to correct personal data in the
Company’s possession or under the Company’s control. For care of personal data, the PDPA
sets out obligations in relation to the accuracy of personal data, the protection and retention
of personal data, and the transfer of personal data out of Singapore

Further details of specific key obligations are set out below:

    • Personal data must be collected, used or disclosed only for purposes which
      would be considered appropriate by a reasonable person in the
      circumstances, and if applicable, have been notified to the individual
      concerned.
    • Individuals must be notified of the purposes for the collection, use, process
      or disclosure of their personal data, prior to such collection, use or
      disclosure.
    • The consent of the relevant individual must be obtained for any collection,
      use, process or disclosure of their personal data, unless exceptions apply.
      The Company must allow the withdrawal of consent which has been given
      or deemed to be given.
    • When requested, the Company must: (i) provide individuals with their
      personal data in the possession or under the control of the Company and
      information about the ways in which the personal data may have been used
      or disclosed during the past year; and (ii) correct an error or omission in an
      individual’s personal data that is in the possession or under the control of
      the Company.
    • The Company must use reasonable efforts to ensure that personal data is
      accurate and complete if such data is used to make a decision affecting the
      individual or if such data will be disclosed to another organisation.
    • The Company must implement reasonable security arrangements for
      personal data.
    • The Company must not keep personal data for longer than it is necessary
      to fulfil: (i) the purposes for which it was collected; or (ii) a legal or business
      purpose; or (iii)any regulatory or legal requirements.
    • Personal data may be transferred outside Singapore only when needed for
      the Company to duly perform agreed services and fulfill its contractual
      obligations. In such case, the Company shall ensure that the recipient
      organisation is obliged to comply with a standard of protection which is
      comparable to the protection required under the PDPA and in accordance
      with the requirements prescribed therein.
    • The Company must implement the necessary policies and procedures in
      order to meet the obligations under the PDPA and shall make information
      about its policies and procedures publicly available.

 

4. RESPONSIBILITIES

A person designated by the Chief Executive Officer of the Company shall
undertake the role of Data Protection Officer (“DPO”) for the Company.

The DPO shall be responsible for advising the Company on this Policy and any
other associated processes. Management staff including Senior Management
and Heads of Department are responsible for implementation of this Policy and
associated processes. All staff must adhere to this Policy.

5. PROCEDURE

5.1 All employees are to safeguard personal data collected in the course of
business.

5.2 Any employee found to have willfully violated this Policy may be subject to
disciplinary action, including termination of employment.

5.3 Policies and Guidelines

5.3.1. Purposes for Collection, Use, Disclosure and Processing of Personal Data

Please refer to “Eagle Eye Centre Pte Ltd Data Privacy
Notice” as uploaded in the relevant Eagle Eye Centre Pte Ltd’s
entities’ websites for the details of purposes for collection, use,
disclosure and processing of personal data.
In addition to “Eagle Eye Centre Pte Ltd Data Privacy Notice”
as uploaded in the relevant Eagle Eye Centre Pte Ltd’s entities’
websites, personal data may be collected, used, disclosed and/
or processed by the Company for various purposes, depending
on the circumstances. Such purposes may include but not limited
to the following:
(a) providing data to the Company’s stakeholders and related/
associated entities, in the event that a patient wishes to be
referred/transferred to either Mahkota Medical Centre or
Regency Specialist Hospital for medical procedures with the
Medisave programme or when patient information is shared
between Starmed Specialist Centre’s contact center,
Eagle Eye Aesthetics and OneCare GP clinics for referral
purposes as agreed between Starmed Specialist Centre and
OneCare;
(b) administering, managing and/or providing services to
customers either directly through the Company’s employees,
the Company’s associated companies’ independent
contractors or indirectly by referral to other medical clinics or
institutions;
(c) carrying out instructions or responding to any enquiries;
(d) carrying out due diligence or other screening activities
(including background checks) in accordance with legal or
regulatory obligations or risk management procedures;
(e) dealing in any matters relating to the services and/or products
which customers have been prescribed to undertake;
(f) complying with applicable law in administering and managing
claims; and
(g) any other purposes for which the Company will notify the
customer and obtain consent for, prior to the collection, use and
disclosure of the customer’s personal data for that purpose.
Such purposes shall include those specified in the privacy
policies set out in the Appendix of this Policy.
Above item (a) to (g) are collectively known as “Purposes”.
In order to conduct its day-to-day business operations, the Company
may also disclose personal data to third-party service providers,
agents and/or its affiliates or related medical clinics, and/or other
third parties, whether located in or outside of Singapore, for one or
more of the above-stated Purposes. Such third-party service
providers, agents and/or affiliates or related medical clinics and/or
other third parties will be processing personal data either on the
Company’s behalf or otherwise, for one or more of the above-stated
Purposes.

5.3.2. Specific Issues for the Disclosure of Personal Data to Third
Parties

Below are scenarios where disclosure of personal data to third
parties are permitted under the PDPA:

      • cases in which the disclosure is required or authorised based
        on the applicable laws and/or regulations;
      • cases in which the purpose of such disclosure is to carry out
        the Company’s responsibilities and deliverables;
      • cases in which the disclosure is necessary to respond to an
        emergency that threatens the life, health or safety of yourself
        or another individual;
      • cases in which the disclosure is necessary for medical
        processes or advice to be provided to you;
      • cases in which the personal data is disclosed to any officer of
        a prescribed law enforcement agency, upon production of
        written authorisation signed by the head or director of that law
        enforcement agency or a person of a similar rank, certifying
        that the personal data is necessary for the purposes of the
        functions or duties of the officer; or
      • cases in which the disclosure is to a public agency and such
        disclosure is necessary in the public interest; and / or where
        such disclosure without customer’s’ consent is permitted by
        the PDPA or bylaw.

5.3.3. Request for Access and / or Correction of Personal Data

    • Customers may request access to personal data about
      themselves that is in the Company’s possession or under the
      Company’s control. Such access requests may be subject to
      the approval of the individual’s insurer or employer. The
      Company shall seek the approval for the release of such
      personal data with the affected insurer or employer and
      respond to the individual’s request within 21 days. Such
      requests for access to personal data may be chargeable on a
      discretionary basis as permitted by the relevant applicable
      personal data protection laws.
    • Customers may access and / or correct personal data about
      themselves currently in the Company’s possession or under
      the Company’s control by submitting a request in writing to:
      Data Protection Officer
      Eagle Eye Centre Pte. Ltd.
      159 Sin Ming Road,
      #05-07 Lobby 2 Amtech Building,
      Singapore 575625
      Telephone: +65 64561000
      Email: email@eagleeyecentre.com.sg
    • The Company shall provide the relevant personal data within a
      reasonable time from such a request being received. Any
      request should be complied with within 21 days from the date
      of receipt of the request. In the event that the request cannot
      be complied with within 21 days, a notice must be submitted to
      the requestor explaining why this request cannot be complied
      with within the prescribed timeframe and that the request will
      be complied with to the extent that the Company is able to do
      so. Any request received must be resolved in whole not later
      than 14 days after the expiration of the 21-day period.
    • For a request to correct personal data, the Company shall:
      • liaise with individual’s insurer or employer (if under the
        Medical Service Arrangement) to seek approval to correct
        the individual’s personal data as soon as practicable, and
        after the relevant approval has been obtained, to correct
        the customer’s personal data as soon as practicable;
      • send the corrected personal data to every other
        organisation to which the personal data was disclosed by
        the Company within a year before the date the correction
        was made, unless that other organisation does not need
        the corrected personal data for any legal or business
        purpose;
      • notwithstanding the above, the Company may, with the
        customers’ consent, send the corrected personal data only
        to specific organisations to which the personal data was
        disclosed within a year before the date the correction was
        made.
    • An administration fee will be charged for the handling and
      processing of requests to access personal data. A written
      estimate of the fee will be sent to the customer, and the
      Company is not required to respond to or deal with access
      requests unless the customer agrees to pay the fee.

5.3.4. Request to Withdraw Consent

    • Customers may at any time withdraw consent for the
      collection, use and / or disclosure of personal data in the
      Company’s possession or under the Company’s control by
      submitting a request in writing to:
      Data Protection Officer
      Eagle Eye Centre Pte Ltd
      159 Sin Ming Road,
      #05-07, Lobby 2 Amtech Building,
      Singapore 575625
      Telephone: +65 64561000
      Email: email@eagleeyecentre.com.sg
    • Upon receiving a customer’s request regarding his withdrawal
      of consent, the Company shall liaise with customer’s insurer
      or employer (if under the Medical Service Arrangement) to
      review the request for withdrawal, and upon the grant of the
      relevant approvals, the Company will thereafter not collect,
      use and / or disclose personal data in the manner stated in
      the customer’s request unless such collection, use or
      disclosure of the personal data is required or authorised under
      PDPA or other written law.

5.3.5. Administration and Management of Personal Data

    • The Company shall take reasonable efforts to ensure that
      personal data is accurate and complete, if personal data is
      likely to be used by the Company to make a decision that
      affects customers or disclosed to another organisation.
      Customers shall update the Company of any changes to
      his/her personal data since the time it was first provided to the
      Company. The Company shall not be responsible for relying
      on inaccurate or incomplete personal data arising from the
      customer’s failure to update the Company of any changes in
      his personal data since the time the personal data was first
      provided to the Company.
    • The Company shall put in place reasonable security
      arrangements to ensure that personal data is adequately
      protected and secured. Appropriate security arrangements
      will be taken to prevent any unauthorised access, collection,
      use, disclosure, copying, modification, leakage, loss, damage
      and/or alteration of personal data. However, as far as
      permitted by the laws of Singapore, the Company will not
      assume responsibility for any unauthorised use of customers’
      personal data by third parties which are wholly attributable to
      factors beyond the Company’s control.
    • The Company shall retain personal data in accordance with
      legal, regulatory, business and operational obligations.
    • Where personal data is to be transferred out of Singapore, the
      Company shall comply with the PDPA before making any
      such transfers. Unless an exception under the PDPA applies,
      this may include us entering into an appropriate contract with
      the foreign recipient organisation in relation to the transfer.
    • Retention of Personal Data
      The Company will cease to retain personal data, as soon as it
      is reasonable to assume that the purpose for collection of
      such personal data is no longer being served by such
      retention, and such retention is no longer necessary for legal
      or business purposes. In relation to this, the Company will
      retain personal data relating to claim records for a period as
      deemed necessary for legal requirements by authorities.
    • Website Cookies
      Whenever registered members visit the Company’s website,
      data may be logged to measure website performance and for
      the purposes of assisting with the resolution of any technical
      difficulties. In line with the latest security measures, the
      Session ID shall be purged after each session.
    • Good Email Practices
      Whenever possible, common email groups shall be created
      so that Staff would avoid typing of individual email address (as
      this may inadvertently result in data leaks if the email address
      is typed incorrectly). All emails (including the recipients and
      attachments) shall be reviewed thoroughly before sending
      out.
    • Prohibition of Screenshots of Personal Data
      Staff are prohibited from taking screenshots of personal data
      and information in the email body. If staff receive and/or have
      possession of screenshots, these must be deleted and
      disposed of, as soon as practicable.
    • Encryption of Attachments
      All attachments in emails containing personal data and
      information sent out have to be encrypted with a password,
      and this password will be shared with the recipient
      organisation in order to access the attachment.
    • Transfer of Personal Data outside Singapore
      Personal data may be transferred outside Singapore only
      when needed for the Company to duly perform agreed
      services and fulfill its contractual obligations. In such case, the
      Company shall ensure that the recipient organisation is
      obliged to comply with a standard of protection which is
      comparable to the protection required under the PDPA and in
      accordance with the requirements prescribed therein.

5.3.6. Complaint Process

Complaints or grievances regarding the handling of customer
personal data can be made by contacting the Company via:

Data Protection Officer
Eagle Eye Centre Pte Ltd
159 Sin Ming Road,
#05-07 Lobby 2 Amtech Building,
Singapore 575625

Locate us

Mt Alvernia

820 Thomson Road,
Mount Alvernia Hospital,
Medical Centre D, #06-57/58/59/60/61/62
Singapore 574623

Fax: (65) 6456 1006
Mt Elizabeth Orchard

Mount Elizabeth Medical Centre,
3 Mount Elizabeth #08-08,
Singapore 228510

Fax: (65) 6836 0002
Parkway East

Parkway East Medical Centre,
319 Joo Chiat Place,
#05-03 Singapore 427989

Fax: (65) 6348-1001
Mt Elizabeth Novena

38 Irawaddy Road,
Mount Elizabeth Novena Specialist Centre,
#08-22/23/24 Singapore 329563

Fax: (65) 6570 1001
Westgate

Westgate Mall,
3 Gateway Drive,
#02-42A Singapore 608532

Fax: (65) 6250-6066
Royal Square at Novena

Royal Square Novena Medical Centre at Royal Square at Novena,
101 Irrawaddy Road,
#11-07 to 13 Singapore 329565

Fax: (65) 6456-1002
King Albert Park

KAP Residences Mall,
9 King Albert Park,
#01-42/43/44 Singapore 598332

Fax: (65) 6475-1880