IHH MY PERSONAL DATA PROTECTION NOTICE

1. Consent

   This PDP Notice serves to inform you that your personal data is being processed by us or on our behalf. By providing us with your personal data or continuing to communicate with us, we shall regard that you have consented to the processing of such data pursuant to this PDP Notice. Should we ask you to provide certain information by which you can be identified, then you can be assured that it will only be used in accordance with this PDP Notice.

2. Source of Personal Data

   We collect personal data directly from you or through information gathered during our ongoing relationship via offline or online platform. This includes data you provide through third parties, social media, call centre, mobile applications, text and messaging tools or public sources.

   Further, we may request your assistance to procure the consent of third parties whose personal data is made available by you to us, and you hereby agree to use your best endeavours to do so.

3. Types of Personal Data Collection

   Your personal data processed by us may include, where relevant:- name, date of birth, identity card number or passport, name of employer/company, home and office address, telephone/handphone number, facsimile number, email address, occupation, age, gender, marital status, weight, height, photos, race, nationality, religion, family and/or next of kin information, remuneration information, EPF number, SOCSO Number, Income Tax Number, Bank details, education background, training attended, working experiences, medical checkup result, medical record, medical diagnosis, personal health information, biometric data, Image/voice/video recording via CCTV Camera/Webcams, criminal history, investigations result, insurance details and any personal data required for the purposes set out in Item 4 below (referred to as “Personal Data”).

4. Purposes of the Personal Data

   Your Personal Data may be processed for the following purposes but not limited to the following:

   a. to provide medical and healthcare services;

   b. to facilitate the patient’s personal needs (i.e. extension stay for health tourists)

   c. to establish and manage medical records and medical reports;

   d. to facilitate payment, billing and invoicing process and outstanding recovery relating to the patients;

   e. to conduct research, analysis and improvement, including survey to enhance customer care and experience;

   f. to administer and respond to requests, queries, complaints, investigations and legal issues;

   g. to facilitate human resource management activities relating to employees;

   h. for submission and registration of relevant forms, licenses to the relevant authorities and/or third parties under the governing laws relevant to the healthcare industries;

   i. to provide marketing, advertisement, membership programmes, rewards schemes, offers and/or promotion on our products and services;

   j. creating de-identified, aggregated and/or anonymised data for data analysis to optimize patient care and improve healthcare services;

   k. undertake automated decision-making, including profiling where permissible under law, and/or

   l. for other purposes required to operate, maintain and better manage our business, security and your relationship with us (collectively, “the Purposes”)

   Your Personal Data may be collected in hardcopy forms or digitally, such as voice recording via call centre or on-line forms available during your visits to IHH MY premises, websites, mobile applications, social media, text and messaging tools, existing guest lists, business cards, guest books and/or any events organised by us (as defined earlier).

   The processing of your Personal Data may be mandatory or voluntary, depending on the Purposes for which your Personal Data is collected. Where it is mandatory for you to provide us with your Personal Data, and you fail or chose not to provide us with such data, or do not consent to the above or this PDP Notice, we will not be able to provide our services or otherwise engage with you.

5. Disclosure of Personal Data

   As stated in the Third Party Disclosure List, your Personal Data may be shared within IHH MY, related healthcare professional and authorised external parties, which may include the following:

   a. service providers, vendor, suppliers that provide products and services to us such as for security support, delivery and transportation, customer survey, debt recovery, payroll, employee expense support and benefits and rewards administration;

   b. Public and governmental authorities when required by law or to protect our rights;

   c. Professional advisors and others, such as banks, insurance companies, auditors, lawyers, accountants and payroll advisors;

   d. Other parties in connection with corporate transaction, such as sale of a business, reorganisation, merger, join venture or disposition of our business, assets or stock.

6. Cross-border Transfer of Personal Data

   Due to our international presence, your Personal Data May be transferred to or accessed by our Affiliate and authorized external parties from various countries around the world in order for us to fulfil the purposes described in this Notice and to comply with PDPA Conditions for cross border personal data transfer.

7. Security Measure

   We take appropriate measures, including our appointed external parties to protect the confidentiality and security of your Personal Data. We implement physical, technical and organisational measures to prevent risks, such as destruction, loss, misuse, alteration and unauthorised disclosure of or access to your Personal Data.

   Nevertheless, you are required to ensure the security of your password and not to disclose it to another party to reduce the risk of data breaches.

8. Retention Period

   Any Personal Data retained by us may be destroyed and/or deleted from our records and system in accordance with our retention policy in the event such data is no longer required for the said Purposes.

9. Access and Update of Personal Data

   We do our best to ensure that the Personal Data we hold about you is accurate, complete, not misleading and up to date. If there are any changes to your Personal Data or if you believe that the Personal Data we have about you is inaccurate, incomplete, misleading or not up to date, please contact us so that we may take steps to update your Personal Data.

   If you would like to request access to your Personal Data, porting of your Personal Data or withdraw your consent for us to process your Personal Data, please contact us. We recommend that your request to be made in writing or you may download the Personal Data Access Request Form from IHH MY entities’ websites. We may also take steps to verify your identity before fulfilling your request for access to your Personal Data in accordance with IHH’s PDP Policy and the PDPA.

10. To contact us

    If you have any inquiries, requests or comments in relation to this Notice, please contact the Data Protection Office via the following channels:

    • Email: [email protected]
    • Written communication mailed to:
      Data Protection Officer, IHH Healthcare Malaysia, Pantai Medical Centre Sdn Bhd, Level 33A, Mercu Aspire, No.3, Jalan Bangsar, KL Eco City, 59200 Kuala Lumpur.

We will do our best to address your requests and concerns within reasonable time. Upon receipt of your request, we may ask you to verify your identity before we can act on your request.

In the event of any inconsistency between the English version and the Bahasa Malaysia version of this PDP Notice, the English version shall prevail.

Revised date: 15^thJuly 2025