Privacy Notice

Effective Date: 15 August 2025

Last Updated: 14 August 2025

Medical Research Network for Social Co., Ltd. (the “Company,” “we,” or “our”) recognizes and attaches great importance to the protection of your personal data. This Privacy Notice is prepared to explain in detail the collection, use, disclosure, and/or transfer of your personal data, as well as your rights under the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”).

1. Scope of the Policy

This policy applies to the personal data of external individuals that we obtain in the course of our business operations, including but not limited to:

– Personnel related to healthcare facilities and research projects: e.g., Principal Investigators, Co-investigators, Site Personnel.

– Representatives of business partners: e.g., directors, authorized representatives, employees, coordinators of entities that are research sponsors, consultants, and various service providers.

– Users and visitors: individuals who access our website, platform, or other communication channels.

– Internships: e.g., students who submit their curriculum vitae (CV), introduction letters, or other information to the Company for internship consideration, whether sent directly or via coordination with an educational institution.

– Job applicants: individuals who submit job applications, CVs, cover letters, or any other information for employment consideration.

– Other persons: any individuals whose personal data we may obtain during normal business operations.

2. Personal Data We Collect

We may collect your personal data directly through various channels, such as meetings, telephone calls, email, websites, or indirectly from our business partners. Types of data collected include:

– Identification information: e.g., full name, signature, national ID number, passport number, and copies of such documents.

– Contact information: e.g., address, telephone number, email address.

– Work and qualification information: e.g., educational and work history (CV), job title, affiliation, professional licenses, relevant training certificates (e.g., ICH-GCP).

– Internship and education information: e.g., academic history, transcripts, training records, introduction letters, university certifications, or CV details.

– Job application information: e.g., data in the job application form, CV, cover letter, interview results, skill test results, work history, educational history, background check results, and reference information.

– Financial information: (for researchers) data necessary for payment or financial support information to verify relationships with research sponsors.

– Technical information: e.g., IP address, Cookie ID, login records, website usage history.

– Other information: e.g., photographs, videos from meetings or seminars, and any other information considered personal data under the law.

3. Purposes and Legal Bases for Processing

We process your personal data based on various legal bases, depending on the nature of the activity, as follows:

A. Processing based on Legitimate Interest

– For business communications: to contact, coordinate, respond to inquiries, and manage the relationship between us and you/your organization.

– For research project management: to assess qualifications, select researchers and sites for participation, verify status, and manage projects smoothly.

– For internal administration: to create databases, analyze and improve operations, prevent fraud, manage risks, and ensure the security of our IT systems.

– For establishing legal claims: to exercise, comply with, or defend legal claims in the future.

– To consider and select interns, and manage internship activities.

– To process information received from educational institutions for fair intern evaluation.

– To consider and select job applicants.

– To store applicant profiles in our database for future job opportunities (with consent).

– To process information from referees or other sources to assess applicants’ qualifications.

B. Processing based on Contractual Basis

– To take steps at your request before entering into a contract.

– To perform contracts to which you or your organization, as your principal, are a contracting party with us, e.g., research service contracts, consultancy contracts, payment processing under a contract.

C. Processing based on Legal Obligation

– To comply with laws or orders from competent government authorities, e.g., the Food and Drug Administration (FDA), Revenue Department.

– To provide necessary information to an Ethics Committee in accordance with applicable regulations.

D. Processing based on Consent

– Where no other legal basis applies, we will request your consent before processing your data, e.g., to share your data with other research sponsors who may be interested in working with you in the future, for marketing purposes, or for other purposes of which we have informed you.

4. Disclosure of Personal Data

We may disclose your personal data, as necessary, to the following persons or entities:

– Regulatory and governmental authorities: e.g., FDA, Human Research Ethics Committees, courts.

– Research project partners: e.g., sponsors, network hospitals, central laboratories.

– External service providers: e.g., cloud service providers, IT service providers, legal consultants, auditors, financial institutions for payment processing.

– Affiliates (if any) and internal management: for administrative purposes and to improve internal operations.

5. Cross-Border Transfers of Personal Data

We may need to send or transfer your personal data to recipients in other countries, such as research sponsors, consultants, or server providers located abroad. In such cases, we will ensure that the destination country has adequate data protection standards or implement appropriate safeguards as required by law.

6. Data Retention Period

We will retain your personal data for as long as necessary to fulfill the purposes stated in this policy and as required by law or the applicable statute of limitations. When it is no longer necessary, we will delete, destroy, or anonymize the data.

– Clinical research data: retained as specified in the research protocol or applicable laws and regulations.

– Partner/customer data: retained for the duration of the contract and thereafter in accordance with the statutory limitation period (e.g., 10 years for accounting documents).

– Training applicant data: retained until the completion of training and possibly longer if the training certificate has legal effect or is a mandatory requirement. You consent to our contacting you for updates. Certificates will be retained for as long as they are valid, plus additional time for legal and regulatory verification.

– Job applicant data:

• For applicants not appointed, retained for 2 years from the date HR received the data; or

• For employees, retained for the duration of employment and 10 years after termination of the employment contract.

Upon expiration of these periods, the Company will delete or destroy the personal data unless disputes or litigation exist, in which case the Company reserves the right to retain the data until a final order or judgment is reached.

– Intern data:

• For interns sent by universities under agreements, retained for the duration of the internship and 10 years thereafter.

Upon expiration of this period, the Company will delete or destroy the personal data.

7. Data of Minors, Quasi-Incompetent, and Incompetent Persons

We do not intend to collect personal data from minors (persons under 20 years old), quasi-incompetent, or incompetent persons. If it is necessary to process such data based on consent, we will do so only after obtaining consent from the legal guardian or authorized representative.

8. Data Subject Rights

You have the following rights under the Personal Data Protection Law:
– Right to withdraw consent
– Right to access
– Right to rectification
– Right to erasure
– Right to restriction of processing
– Right to data portability
– Right to object
– Right to lodge a complaint
You may contact us to exercise your rights using the details in Section 11. We will process your request within 30 days from receipt. However, we encourage you to contact us first to allow us to clarify and resolve your concerns before lodging a complaint with the relevant authority.

9. Data Security Measures

We have implemented administrative, technical, and physical safeguards to protect personal data from unauthorized access, use, alteration, modification, or disclosure.

10. Amendments to This Policy

We reserve the right to amend this policy from time to time. You can check the latest version on our website. If there are significant changes, we will notify you again.

11. Contact Details

Data Controller:
– Medical Research Network for Social Co., Ltd.
– Address: 196 Wach Building 3, 3rd Floor, Phahonyothin Road, Lat Yao Subdistrict, Chatuchak District, Bangkok 10900, Thailand
– Website: www.thaimedresnet.org
– Telephone: +66 2 940 5181

Data Protection Officer (DPO):
– Email: dpo@thaimedresnet.org
– Address: 196 Wach Building 3, 3rd Floor, Phahonyothin Road, Lat Yao Subdistrict, Chatuchak District, Bangkok 10900, Thailand