This Personal Data Protection Notice explains how Alhaya International Women’s Specialists Sdn. Bhd. (“ALHAYA”), operating under the business name Alhaya Fertility Centre, as the Data Controller, collects, uses, maintains, protects, and discloses your Personal Data in accordance with the Personal Data Protection Act 2010 (PDPA) and the Personal Data Protection Standards 2015.
As the Data Controller, ALHAYA is responsible for determining the purposes and means of processing your Personal Data and is committed to ensuring the confidentiality, integrity, and security of all Personal Data entrusted to us.
By providing your Personal Data to ALHAYA, you consent to the processing of your Personal Data in accordance with this Notice. You may withdraw your consent at any time, subject to legal or contractual restrictions.
1. What Personal Data We Collect
“Personal Data” refers to information that identifies you, including but not limited to:
- Name, address, gender, marital status, identification card number, passport number, date of birth, race, nationality, occupation, religion.
- Contact details: telephone number, email address.
- Financial information: bank account details, billing information, payment records.
- Sensitive Personal Data: medical history, laboratory reports, clinical notes, diagnostic images, blood type, genetic and fertility-related information, medication history.
- Photographs, CCTV recordings, video recordings, and audio recordings.
2. How We Collect Your Personal Data
As the Data Controller, ALHAYA may obtain your Personal Data from:
- Information provided directly by you or your authorised representative (parent, guardian, next of kin).
- Communications by telephone, email, letters, messaging platforms, or in-person discussions.
- Registration as a patient, employee, guarantor, business partner, or service recipient.
- Customer surveys, events, online platforms, and digital interactions with ALHAYA.
- Third parties such as employers, insurers, healthcare facilities, laboratories, or parties authorised by you.
- Public sources, regulators, and authorities where lawful.
3. Why We Process Your Personal Data
Your Personal Data is processed by ALHAYA, as the Data Controller, for the following purposes:
a) Providing, managing, and administering healthcare, fertility, and related services.
b) Insurance claims, third-party administration, billing, and payment processing.
c) Responding to enquiries, feedback, or communication requests.
d) Communicating with you regarding services, promotions, events, or operational updates.
e) Assessing creditworthiness and recovering outstanding payments.
f) Internal operations, analytics, quality assurance, audits, and administrative activities.
g) Training, quality audit, and service improvement (including audio/video recordings).
h) Crime prevention, safety, and security measures, including CCTV monitoring.
i) Investigating or preventing fraud, misconduct, or unlawful activities.
j) Enforcing ALHAYA’s legal rights or obtaining legal and professional advice.
k) Compliance with applicable laws, regulations, guidelines, and requirements of relevant regulatory or accreditation bodies.
l) Any other purpose for which you have explicitly consented or which is permissible under law.
4. Disclosure of Your Personal Data
As the Data Controller, ALHAYA may disclose your Personal Data to:
a) Government agencies and regulatory authorities (e.g. Ministry of Health, IRB, EPF, SOCSO, police).
b) Insurance companies, credit card companies, employers, guarantors, financial institutions, credit reporting agencies.
c) Hospitals, medical specialists, laboratories, or healthcare providers involved in your care or transfer.
d) Parents or guardians of minors.
e) IT service providers, data processors, contractors, suppliers, and vendors supporting ALHAYA operations.
f) External auditors, lawyers, advisors, consultants, and accreditation bodies.
g) Parties necessary to protect your life, health, safety, or public interest.
h) In the event of non-payment, limited disclosure of outstanding debts where legally permitted.
ALHAYA ensures all disclosures are made strictly for lawful purposes and in compliance with PDPA requirements.
5. How We Protect Your Personal Data
As the Data Controller, ALHAYA implements technical, administrative, physical, and organisational safeguards to protect your Personal Data from:
- loss
- misuse
- unauthorised access
- alteration
- disclosure
- destruction
Security controls include:
- Controlled access and role-based permissions
- Cybersecurity measures including encryption, authentication, firewalls
- Physical security and restricted access zones
- Staff training and confidentiality agreements
- Vendor and contractor data protection compliance
- Regular internal audits and periodic security reviews in accordance with Regulation 5 of the PDPA Standards 2015
6. Retention of Personal Data
ALHAYA, as the Data Controller, retains Personal Data only for as long as necessary to:
- fulfil the purposes it was collected for,
- comply with legal or regulatory requirements, and
- meet medical, insurance, audit, and operational obligations.
Personal Data will be securely destroyed or permanently deleted in accordance with ALHAYA’s retention and destruction policy, as required under Regulation 6 of the PDPA Standards 2015.
7. Accuracy of Personal Data
ALHAYA takes reasonable steps to ensure Personal Data processed is accurate, complete, and up to date, as required under Regulation 7 of the PDPA Standards 2015.
You are responsible for informing ALHAYA of any updates via a Personal Data Change Form available at our Centre.
8. Access, Correction & Withdrawal of Consent
As the Data Controller, ALHAYA facilitates data subject rights under the PDPA.
You may request:
- access to your Personal Data
- correction of inaccurate or incomplete Personal Data
- withdrawal of consent (subject to legal/contractual requirements)
ALHAYA may refuse requests under circumstances permitted by the PDPA, such as inability to verify identity or risk to patient safety.
For matters relating to Personal Data, including access, correction, withdrawal of consent, or privacy concerns, you may contact:
Neeta Lal, Data Protection Officer (DPO)
Alhaya Fertility Centre
Email: enquiry@alhayafertility.com
Tel: +603-7627 0088
ALHAYA will respond within a reasonable timeframe in accordance with Regulations 8 and 9 of the PDPA Standards 2015.
9. Incompetent Patients
“Incompetent Patients’’ include individuals medically certified as mentally incompetent, legally incapacitated, or minors under 18 years old.
If you provide Personal Data on their behalf, you:
- confirm you are the lawful guardian or authorised representative,
- consent to its processing, and
- accept responsibility for its accuracy and completeness.
10. Changes to This Notice
ALHAYA, as the Data Controller, reserves the right to amend this Notice as required to comply with legal, regulatory, or operational requirements. The latest version will be available at our Centre or on our website.
In the event of inconsistency, the English version shall prevail.
Last updated at 2 Dec 2025