PERSONAL DATA PROTECTION POLICY

Unless otherwise defined herein, all capitalized words used in this policy shall have the meaning specified as follows:

• “Personal Data Protection Law” means the Personal Data Protection Act, B.E. 2562 including amendments, decrees, regulations, orders, notifications, rules, and any relevant laws.
• “Services” means to sell, purchase, hire, and services or any activities related to the services provided to the Personal Data Subject by the Company.
• “Personal Data” means any information relating to a person, which enables the identification of such person, whether directly or indirectly, but not including the information of the deceased person in particular, such as, identification card number, address, physical and mental identity, social, economic or cultural identity information.
• “Company” means Thai-Lysaght Company Limited as the subsidiary of Univentures Public Company Limited.
• “Affiliate” means any company in which the Company or Univentures Public Company Limited owns 50% or more of the total issued shares (first-tier subsidiary), including any other company in which the first-tier subsidiary and/or subsidiaries in the next hierarchy own 50% or more of the total issued shares, and shall include the definition of the affiliated company in accordance with the regulations stipulated by the regulatory authorities at present or in the future.
• “Data Controller” means a person, or a juristic person having the power and duties to make decisions regarding the collection, use, or disclosure of Personal Data.
• “Personal Data Subject” means a person, company’s directors, a person acts on behalf of the company including representatives of such person receiving the Services provided by the Company.

The Company collects personal data from the personal data owner both directly and indirectly as follows:

• Personal Data that the Personal Data Subject or the representative of the Personal Data Subject delivers to the following persons:
  • The Company;
  • Affiliates of the Company
  • Associates of the Company
  • Companies within the Company's business group; and
  • Business partners of the Company
• The provision of services using one or more of the Company’s channels, such as telephone services;
• The provision of services via the internet, including, the use of the Company’s website, applications, on line social media;
• Sources of information other than directly the owner of the personal data, e.g. state agencies, a company in the group, the Company’s contractual partners, etc. which the Company collects from other sources with the consent of the personal data owner and in accordance with the provisions of the applicable law, except in the case that the Company is required to do so as permitted under the applicable law

In the event Personal Data of another person has been provided to the Company, the Personal Data Subject warrants that the Personal Data Subject has the right and/or has obtained consent from such person to disclose such Personal Data and has fully complied with the Personal Data Protection Law.

Personal data is data which can be used to identify the owner of the personal data, whether directly or indirectly and the Company collects, uses and/or discloses the personal data of the personal data owner as follows:

• Personal data e.g. name, surname, gender, age, date of birth, marital status, address, job;
• Contact information, e.g. residential address, place of work, telephone number, Line ID, email address;
• Data that identifies your location while using a website. If the GPS System is enabled, it is deemed that the personal data owner consents for the Company to collect and evaluate your location while using the website. If you want to turn off the location function, the personal data owner can install a program or turn off the GPS function on your mobile phone
• Data based on computer or communications equipment such as:
  • Cookies, i.e. data sent from a website to a computer when you visit, enter and interact with websites from the Company’s website;
  • IP Address;
  • Web Browser used to provide access;
  • Websites that refer to the Company’s website;
  • Connectivity data using the website’s connection
• Data regarding services used (depending on the services used by the personal data owner on the website) e.g. registration to receive information in an electronic format, information related to whistleblowing or complaints, information relating to job applications, information regarding communication through the website and any other information regarding the personal data owner’s activities on the website, including information about the computer and connectivity information using the website’s connection
• Other data e.g. sound, pictures, video, photographs and closed circuit television recording pictures
• Other data that may be deemed to be personal data under the personal data protection laws

Special Personal Data

It is a special categories of Personal Data as stipulated in Section 26 of the Personal Data Protection Act, B.E. 2562 such as race, ethnic origin, political opinions, belief, religion, or philosophy, sexual orientation/identity, criminal record, health data, handicap, trade union information, genetic data, biometric data, or any data which may affect the Personal Data Subject in the same manner, the Company will process such Personal Data to the extent required by law and notify the Personal Data Subject prior to or at the time of Processing of such Personal Data according to the conditions prescribed by law.

The Company collects, uses and/or discloses personal data of the personal data owner for the purpose of the services provided by the Company as well as to comply with the laws which the Company and/or the personal data owner are required to comply with and for the other purposes as provided in this policy as follows:

• To provide services required by the personal data owner;
• To improve and develop the services provided by the Company to be efficient
• For the purpose of communication, e.g. warning notification, to respond when contacted by the personal data owner
• To confirm the identity of the personal data owner, whether for the purpose of recruiting, identification of the person making the contact, entering or exiting the office for security purposes;
• When the personal data owners give their explicit consent, the following purposes will be provided:
  • To announce various information regarding the Company and/or affiliates of the Company as well as to provide services and special privileges related to such services.
  • To announce information regarding products and services and activities of the Company.
  • For direct marketing.
  • For market research, analysis of the behavior and interests of the personal data owner for marketing purposes as well as other services that may be offered in the future to better match the requirements of the personal data owner for improved service when using the website.
• To comply with contractual obligations with the personal data owner or to fulfill requests of the personal data owner prior to entering into the contract
• To comply with the provisions of the applicable law
• For the lawful interests of the Company or other persons or entities

Personal Data Subjects can exercise their rights under Personal Data Protection Law details as follow;

• The right to access Personal Data that the Company has retained, including the right to request correction of inaccurate or incomplete data.
• The right to request electronic copies of Personal Data for provision to third parties or request the Company to send it directly to a third party.
• The right to object to the Processing of your Personal Data for marketing purposes and any other purposes.
• The right to request erasure of your Personal Data when such data is not required to be retained, including the right to limit the scope of Personal Data Processing, in the event that such data cannot be deleted.
• The right to request the restriction of the use of your Personal Data only in the part that is not necessary in the operation of the Company.
• The right to request the Company to provide Personal Data that is accurate, up to date, complete and does not cause misunderstandings.
• The right to file a complaint with government authorities in the event it is deemed that a violation of the Personal Data Subject’s has occurred.

Such exercise of the Personal Data Subject’ s rights shall be subject to the terms, notices and regulations set by the Company, which will be in accordance with the Personal Data Protection Law, including the Company's Personal Data Protection Policy and other criteria specified by the Company. A written request for exercise of rights shall be submitted to the Company's Data Protection Officer by means of the contact specified in Clause 13. of this policy. The consideration of the request is at the Company's sole discretion, and the Company's decision regarding the request is final.

Withdrawing consent may affect certain Services. As a result, the Company may not be able to provide Services to the fullest potential or certain services or benefits of the Company may not be made available or accessible. However, withdrawing consent will not affect the Processing of Personal Data for which consent has been provided.

The following actions to personal data shall not be deemed the violation of the personal data protection policy;

• An action towards personal data that has been disclosed in public at the time or before personal data owner disclose personal data to the Company, or personal data that is publicly disclosed which is not caused by the Company.
• Disclosure of personal data with your written consent or permission by other means.
• Disclosure of personal data as necessary by laws, orders, rules, regulations, court order, government authorities, or other necessity.