Personal Data Protection Policy

Saha-Union Public Company Limited (“the Company”) is aware of the importance of personal data protection of its shareholders, investors, business partners, directors, personnel of the Company, and persons related to the company. To ensure that such persons will receive full protection of their rights in accordance with the Personal Data Protection Act B.E. 2562 and other related laws, the Board of Directors has approved the Personal Data Protection Policy as part of the Company’s good corporate governance manual so that the company has a guideline and regulatory measures for its management of personal information, ranging from the collection, use, disclosure, including keeping personal information secure. The policy statements are as follows.

1. Scope of application

This Privacy Policy is applicable to the Company, its personnel, and persons involved in the processing of personal data by order or on behalf of the Company.

2. Definition

“The Company” means Saha-Union Public Company Limited.
“Processing” means any operation performed upon personal data such as collecting, recording, systematizing, structuring, storing, updating, altering, recovering, using, disclosing, forwarding, disseminating, transferring, merging, deleting, and destroying.
“Personal Data” means information about an individual that identifies the person whether directly or indirectly.
“Data Subject” means an individual from whom personal data can be identified whether directly or indirectly.
“Data Controller” means a natural person or juristic person who has the authority to make decisions about the processing of personal data.
“Data Processor” means a natural person or a juristic person who performs the processing of personal data on the order or on behalf of the personal data controller.
“Personal Data Protection Officer” means an individual or a group of persons appointed by the Company to act as a Personal Data Protection Officer according to the Personal Data Protection Act B.E. 2562.

3. Personal Data Protection Policy: Personal Data Protection Governance

3.1 The Company has established personal data governance structure, defining methods and measures that are suitable for compliance with the law as follows:

(1) Clearly define the roles, missions, and responsibilities of relevant agencies and operators to establish a regulatory mechanism for processing personal data in accordance with the law and the Company’s Personal Data Protection Policy.

(2) Appoint the Company’s Data Protection Officer (DPO) with roles and duties as required by law.

3.2 The company has prepared policies and guidelines, including documents related to the protection of personal data in accordance with the law.

3.3 The company has established a management process in compliance with the policy to control and supervise the practice according to the Company’s Personal Data Protection Policy.

3.4 The Company will conduct training for its personnel to ensure their knowledge, understanding, and awareness of the importance of personal data protection.

4. Personal Data Protection Policy: Personal Data Processing

4.1 The Company will process personal data both as a personal data controller and personal data processor as necessary under lawful, fair, and transparent purposes. The Company will appropriately maintain confidentiality, integrity, and security of personal data.

4.2 The Company shall provide Records of Processing Activities (ROPA) for recorded transactions and activities related to the processing of personal data.

4.3 The Company will provide a Personal Data Protection Notice for its directors, executives, shareholders, business partners, personnel, and persons related to the Company, as well as Consent Form and other documents as required by law.

4.4 In the event that the Company sends, transfers, or allows other persons to use personal data, the Company will enter into an agreement with those who receive or use that personal information determining rights and duties in accordance with the law.

4.5 In the event that the Company is required to send or transfer personal data to a foreign country. The Company will comply with the law.

4.6 The Company provides an audit system to delete or destroy personal data after the expiration of the retention period.

4.7 The Company will assess the risks and take measures to mitigate the risks and the impacts that may occur with the processing of personal data.

5. Personal Data Protection Policy: Data Subject Rights

The Company will provide measures, channels and methods to support the exercise of the rights of the personal data subject and respond to the request for the exercise of the personal data subject’s rights within the period prescribed by law.

6. Personal Data Protection Policy: Personal Data Security

6.1 The Company will provide measures to maintain the security of personal data that are effective, sufficient, appropriate, and in accordance with the law to prevent the loss, unauthorized access, misuse, alteration, or disclosure of personal data that is in the possession of the Company. Reviews and inspections of such measures will also be arranged.

6.2 All departments in the Company must cooperate with the Personal Data Protection Officer. In case of personal data breach, the Personal Data Protection Officer must report the incident to the Office of the Personal Data Protection Commission (PDPC) within 72 hours of being aware of the incident. If the breach is a high-risk violation that affects the rights and freedoms of a data subject, the company shall notify the data subject about the incident.

7. Roles, duties, and responsibilities
Board of Directors

Responsible for supervising and supporting the Company to effectively protect personal data and in accordance with the law.

President

Assumes a duty to monitor and supervise all departments to comply with the Company’s Personal Data Protection Policy and raise awareness among the Company’s employees.

Data Protection Officer (DPO)

Responsible for providing advice, consulting, and reviewing operations related to the Company’s processing of personal data in accordance with the law, as well as to coordinate and cooperate with the Office of the Personal Data Protection Commission (PDPC).

Company Employees

Responsible for performing duties in accordance with the Company’s Personal Data Protection Policy and reporting unusual incidents related to personal data protection and non-compliance with the law and the Company’s Personal Data Protection Policy to the supervisors.

8. Review of the Personal Data Protection Policy

The Company will arrange for a review, revision, or amendment of this policy from time to time to make sure it complies with the law, changes in the Company’s operations, as well as any suggestions that the Company deems appropriate and beneficial to all parties. The Company shall announce changes to its Personal Data Protection Policy through the Company’s website. (www.sahaunion.co.th)

9. Punishment

Failure to comply with the Company’s Personal Data Protection Policy may be an offense and result in a disciplinary penalty, as well as legal punishment.

10. Contact channel of the company

Data Protection Officer (DPO)
E-mail: dpo@sahaunion.co.th
Saha-Union Public Company Limited
1828 Sukhumvit Road, Phra Khanong Tai Sub-district, Phra Khanong District, Bangkok 10260

This Personal Data Protection Policy is applicable to personnel at all levels of the Company, including directors and executives of the company. Everyone is required to understand and comply with this policy as well as solemnly cooperate and support its practice throughout the organization. Attached herewith are the Personal Data Protection Notice for the Company’s directors, executives, shareholders, business partners, personnel, and persons related to the Company, Personal Data Processing Consent Form, and other relevant documents.

Announced on the 26th day of May 2022.