PERSONAL DATA PROTECTION POLICY
(Effective 25th March 2022)
1. PURPOSE
This Policy describes the policies and procedures of Eagle Eye Centre
Pte. Ltd. and its subsidiary companies in Singapore (the “Company”)
on the collection, use, process and disclosure of personal data by the
Company in compliance with the requirements of the Personal Data
Protection Act 2012 of Singapore, as revised from time to time (“PDPA”) and any
other relevant legislations, regulations and policies which may be amended from
time to time.
2. SCOPE
This Policy describes how personal data must be collected, used, processed,
handled, stored and disclosed in order to meet the Company’s data protection
standards and obligations under the PDPA. Examples of personal data which
the Company may collect, use, process ,handle, store and disclose include
personal data relating to customers, patients, suppliers, business contacts,
medical/dental practitioners (“RMP”), employees, independent contractors,
agents and other people with whom the Company has a relationship with or may
need to contact.
For the purposes of this Policy, “Staff” refers to all employees of the Company
and where applicable, all individuals contracted and/or sub-contracted to
complete works on behalf of the Company.
3. DEFINITIONS AND REQUIREMENTS UNDER THE PDPA
The Personal Data Protection Act 2012 (PDPA) describes how organisations
collect, use, process, store and disclose personal data. Personal data is defined
under the PDPA to mean any data, whether true or not, about an individual who
can be identified (a) from that data; or (b) from that data and other information
to which the organisation has or is likely to have access to, including data in the
Company’s records as may be updated from time to time.
The PDPA applies regardless of whether data is stored electronically, on paper or in other
formats.
In general, the Company can only collect, use, process or disclose the personal data of an
individual with the individual’s consent, and for a reasonable purpose which the organisation
has made known to the individual. The Company is also required to provide individuals with
access to their personal data and consider requests to correct personal data in the
Company’s possession or under the Company’s control. For care of personal data, the PDPA
sets out obligations in relation to the accuracy of personal data, the protection and retention
of personal data, and the transfer of personal data out of Singapore
Further details of specific key obligations are set out below:
- Personal data must be collected, used or disclosed only for purposes which
would be considered appropriate by a reasonable person in the
circumstances, and if applicable, have been notified to the individual
concerned. - Individuals must be notified of the purposes for the collection, use, process
or disclosure of their personal data, prior to such collection, use or
disclosure. - The consent of the relevant individual must be obtained for any collection,
use, process or disclosure of their personal data, unless exceptions apply.
The Company must allow the withdrawal of consent which has been given
or deemed to be given. - When requested, the Company must: (i) provide individuals with their
personal data in the possession or under the control of the Company and
information about the ways in which the personal data may have been used
or disclosed during the past year; and (ii) correct an error or omission in an
individual’s personal data that is in the possession or under the control of
the Company. - The Company must use reasonable efforts to ensure that personal data is
accurate and complete if such data is used to make a decision affecting the
individual or if such data will be disclosed to another organisation. - The Company must implement reasonable security arrangements for
personal data. - The Company must not keep personal data for longer than it is necessary
to fulfil: (i) the purposes for which it was collected; or (ii) a legal or business
purpose; or (iii)any regulatory or legal requirements. - Personal data may be transferred outside Singapore only when needed for
the Company to duly perform agreed services and fulfill its contractual
obligations. In such case, the Company shall ensure that the recipient
organisation is obliged to comply with a standard of protection which is
comparable to the protection required under the PDPA and in accordance
with the requirements prescribed therein. - The Company must implement the necessary policies and procedures in
order to meet the obligations under the PDPA and shall make information
about its policies and procedures publicly available.
- Personal data must be collected, used or disclosed only for purposes which
4. RESPONSIBILITIES
A person designated by the Chief Executive Officer of the Company shall
undertake the role of Data Protection Officer (“DPO”) for the Company.
The DPO shall be responsible for advising the Company on this Policy and any
other associated processes. Management staff including Senior Management
and Heads of Department are responsible for implementation of this Policy and
associated processes. All staff must adhere to this Policy.
5. PROCEDURE
5.1 All employees are to safeguard personal data collected in the course of
business.
5.2 Any employee found to have willfully violated this Policy may be subject to
disciplinary action, including termination of employment.
5.3 Policies and Guidelines
5.3.1. Purposes for Collection, Use, Disclosure and Processing of Personal Data
Please refer to “Eagle Eye Centre Pte Ltd Data Privacy
Notice” as uploaded in the relevant Eagle Eye Centre Pte Ltd’s
entities’ websites for the details of purposes for collection, use,
disclosure and processing of personal data.
In addition to “Eagle Eye Centre Pte Ltd Data Privacy Notice”
as uploaded in the relevant Eagle Eye Centre Pte Ltd’s entities’
websites, personal data may be collected, used, disclosed and/
or processed by the Company for various purposes, depending
on the circumstances. Such purposes may include but not limited
to the following:
(a) providing data to the Company’s stakeholders and related/
associated entities, in the event that a patient wishes to be
referred/transferred to either Mahkota Medical Centre or
Regency Specialist Hospital for medical procedures with the
Medisave programme or when patient information is shared
between Starmed Specialist Centre’s contact center,
Eagle Eye Aesthetics and OneCare GP clinics for referral
purposes as agreed between Starmed Specialist Centre and
OneCare;
(b) administering, managing and/or providing services to
customers either directly through the Company’s employees,
the Company’s associated companies’ independent
contractors or indirectly by referral to other medical clinics or
institutions;
(c) carrying out instructions or responding to any enquiries;
(d) carrying out due diligence or other screening activities
(including background checks) in accordance with legal or
regulatory obligations or risk management procedures;
(e) dealing in any matters relating to the services and/or products
which customers have been prescribed to undertake;
(f) complying with applicable law in administering and managing
claims; and
(g) any other purposes for which the Company will notify the
customer and obtain consent for, prior to the collection, use and
disclosure of the customer’s personal data for that purpose.
Such purposes shall include those specified in the privacy
policies set out in the Appendix of this Policy.
Above item (a) to (g) are collectively known as “Purposes”.
In order to conduct its day-to-day business operations, the Company
may also disclose personal data to third-party service providers,
agents and/or its affiliates or related medical clinics, and/or other
third parties, whether located in or outside of Singapore, for one or
more of the above-stated Purposes. Such third-party service
providers, agents and/or affiliates or related medical clinics and/or
other third parties will be processing personal data either on the
Company’s behalf or otherwise, for one or more of the above-stated
Purposes.
5.3.2. Specific Issues for the Disclosure of Personal Data to Third
Parties
Below are scenarios where disclosure of personal data to third
parties are permitted under the PDPA:
- cases in which the disclosure is required or authorised based
on the applicable laws and/or regulations; - cases in which the purpose of such disclosure is to carry out
the Company’s responsibilities and deliverables; - cases in which the disclosure is necessary to respond to an
emergency that threatens the life, health or safety of yourself
or another individual; - cases in which the disclosure is necessary for medical
processes or advice to be provided to you; - cases in which the personal data is disclosed to any officer of
a prescribed law enforcement agency, upon production of
written authorisation signed by the head or director of that law
enforcement agency or a person of a similar rank, certifying
that the personal data is necessary for the purposes of the
functions or duties of the officer; or - cases in which the disclosure is to a public agency and such
disclosure is necessary in the public interest; and / or where
such disclosure without customer’s’ consent is permitted by
the PDPA or bylaw.
- cases in which the disclosure is required or authorised based
5.3.3. Request for Access and / or Correction of Personal Data
- Customers may request access to personal data about
themselves that is in the Company’s possession or under the
Company’s control. Such access requests may be subject to
the approval of the individual’s insurer or employer. The
Company shall seek the approval for the release of such
personal data with the affected insurer or employer and
respond to the individual’s request within 21 days. Such
requests for access to personal data may be chargeable on a
discretionary basis as permitted by the relevant applicable
personal data protection laws. - Customers may access and / or correct personal data about
themselves currently in the Company’s possession or under
the Company’s control by submitting a request in writing to:
Data Protection Officer
Eagle Eye Centre Pte. Ltd.
159 Sin Ming Road,
#05-07 Lobby 2 Amtech Building,
Singapore 575625
Telephone: +65 64561000
Email: email@eagleeyecentre.com.sg - The Company shall provide the relevant personal data within a
reasonable time from such a request being received. Any
request should be complied with within 21 days from the date
of receipt of the request. In the event that the request cannot
be complied with within 21 days, a notice must be submitted to
the requestor explaining why this request cannot be complied
with within the prescribed timeframe and that the request will
be complied with to the extent that the Company is able to do
so. Any request received must be resolved in whole not later
than 14 days after the expiration of the 21-day period. - For a request to correct personal data, the Company shall:
- liaise with individual’s insurer or employer (if under the
Medical Service Arrangement) to seek approval to correct
the individual’s personal data as soon as practicable, and
after the relevant approval has been obtained, to correct
the customer’s personal data as soon as practicable; - send the corrected personal data to every other
organisation to which the personal data was disclosed by
the Company within a year before the date the correction
was made, unless that other organisation does not need
the corrected personal data for any legal or business
purpose; - notwithstanding the above, the Company may, with the
customers’ consent, send the corrected personal data only
to specific organisations to which the personal data was
disclosed within a year before the date the correction was
made.
- liaise with individual’s insurer or employer (if under the
- An administration fee will be charged for the handling and
processing of requests to access personal data. A written
estimate of the fee will be sent to the customer, and the
Company is not required to respond to or deal with access
requests unless the customer agrees to pay the fee.
- Customers may request access to personal data about
5.3.4. Request to Withdraw Consent
- Customers may at any time withdraw consent for the
collection, use and / or disclosure of personal data in the
Company’s possession or under the Company’s control by
submitting a request in writing to:
Data Protection Officer
Eagle Eye Centre Pte Ltd
159 Sin Ming Road,
#05-07, Lobby 2 Amtech Building,
Singapore 575625
Telephone: +65 64561000
Email: email@eagleeyecentre.com.sg - Upon receiving a customer’s request regarding his withdrawal
of consent, the Company shall liaise with customer’s insurer
or employer (if under the Medical Service Arrangement) to
review the request for withdrawal, and upon the grant of the
relevant approvals, the Company will thereafter not collect,
use and / or disclose personal data in the manner stated in
the customer’s request unless such collection, use or
disclosure of the personal data is required or authorised under
PDPA or other written law.
- Customers may at any time withdraw consent for the
5.3.5. Administration and Management of Personal Data
- The Company shall take reasonable efforts to ensure that
personal data is accurate and complete, if personal data is
likely to be used by the Company to make a decision that
affects customers or disclosed to another organisation.
Customers shall update the Company of any changes to
his/her personal data since the time it was first provided to the
Company. The Company shall not be responsible for relying
on inaccurate or incomplete personal data arising from the
customer’s failure to update the Company of any changes in
his personal data since the time the personal data was first
provided to the Company. - The Company shall put in place reasonable security
arrangements to ensure that personal data is adequately
protected and secured. Appropriate security arrangements
will be taken to prevent any unauthorised access, collection,
use, disclosure, copying, modification, leakage, loss, damage
and/or alteration of personal data. However, as far as
permitted by the laws of Singapore, the Company will not
assume responsibility for any unauthorised use of customers’
personal data by third parties which are wholly attributable to
factors beyond the Company’s control. - The Company shall retain personal data in accordance with
legal, regulatory, business and operational obligations. - Where personal data is to be transferred out of Singapore, the
Company shall comply with the PDPA before making any
such transfers. Unless an exception under the PDPA applies,
this may include us entering into an appropriate contract with
the foreign recipient organisation in relation to the transfer. - Retention of Personal Data
The Company will cease to retain personal data, as soon as it
is reasonable to assume that the purpose for collection of
such personal data is no longer being served by such
retention, and such retention is no longer necessary for legal
or business purposes. In relation to this, the Company will
retain personal data relating to claim records for a period as
deemed necessary for legal requirements by authorities. - Website Cookies
Whenever registered members visit the Company’s website,
data may be logged to measure website performance and for
the purposes of assisting with the resolution of any technical
difficulties. In line with the latest security measures, the
Session ID shall be purged after each session. - Good Email Practices
Whenever possible, common email groups shall be created
so that Staff would avoid typing of individual email address (as
this may inadvertently result in data leaks if the email address
is typed incorrectly). All emails (including the recipients and
attachments) shall be reviewed thoroughly before sending
out. - Prohibition of Screenshots of Personal Data
Staff are prohibited from taking screenshots of personal data
and information in the email body. If staff receive and/or have
possession of screenshots, these must be deleted and
disposed of, as soon as practicable. - Encryption of Attachments
All attachments in emails containing personal data and
information sent out have to be encrypted with a password,
and this password will be shared with the recipient
organisation in order to access the attachment. - Transfer of Personal Data outside Singapore
Personal data may be transferred outside Singapore only
when needed for the Company to duly perform agreed
services and fulfill its contractual obligations. In such case, the
Company shall ensure that the recipient organisation is
obliged to comply with a standard of protection which is
comparable to the protection required under the PDPA and in
accordance with the requirements prescribed therein.
- The Company shall take reasonable efforts to ensure that
5.3.6. Complaint Process
Complaints or grievances regarding the handling of customer
personal data can be made by contacting the Company via:
Data Protection Officer
Eagle Eye Centre Pte Ltd
159 Sin Ming Road,
#05-07 Lobby 2 Amtech Building,
Singapore 575625
