Paccaya Foundation Co., Ltd. (“the Company”) places great importance on the protection of personal data in accordance with the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”).  Accordingly, the Company has established this Privacy Policy in order to inform directors, employees, and all relevant personnel of the details concerning the collection, use, and disclosure (“processing”) of personal data, as set forth below.

Article 1: Scope of Application

This Policy applies to all personal data processing activities conducted by the Company, including any individuals who become aware of personal data as a result of their involvement in the Company’s operations. Such individuals shall comply with this Policy and with the requirements prescribed by applicable law.

Article 2: Definitions

For the purposes of this Policy:

• “Data Controller” means a natural or juristic person who has the authority to make decisions regarding the collection, use, or disclosure of personal data.

• “Data Processor” means a natural or juristic person who processes personal data on behalf of, or pursuant to the instructions of, the Data Controller. Such a person shall not be deemed a Data Controller.

• “Personal Data” means any information relating to an identifiable natural person, whether directly or indirectly, but does not include information of deceased persons.

• “Sensitive Personal Data” means personal data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, sexual behaviour, criminal records, health data, disability, trade union membership, genetic data, biometric data, or any other data which may affect the data subject in a similar manner as prescribed by the Personal Data Protection Committee.

• “Cookies” means small computer files temporarily stored on the data subject’s device, containing necessary personal data to facilitate convenience and efficiency in communication, and which are effective only during the use of the website system.

• “Data Subject” means a natural person who is the owner of personal data.

• “Personal Data Protection Law” means PDPA and all related subordinate legislation.

Article 3: Personal Data Processed by the Company

The Company collects personal data directly from data subjects, such as through communications, quotations, recruitment, and contractual arrangements, as well as from other sources, including government agencies, business partners, and third parties.

The categories of personal data processed by the Company include, but are not limited to:

1. Basic Information: name, surname, gender, date of birth, photograph, signature, national identification card information, house registration information, driver’s license information

2. Contact Information: current address, email address, telephone number, LINE ID

3. Financial Information: bank account details, payroll information, employee benefits

4. Sensitive Personal Data: criminal records, health information, biometric data, religious beliefs

5. Third-Party Information: referees, emergency contacts, family members

6. Other Information: cookie data, employment information, behavioural data, technological data, marketing data

In cases where the Company receives a copy of a national identification card for the purposes of identity verification and/or conducting transactions, which may contain sensitive personal data (such as religion or blood type), the Company has no policy to retain such sensitive personal data unless permitted by law. In such cases, the Company shall implement appropriate handling measures in accordance with applicable legal requirements.

Article 4: Legal Obligations of the Company

The Company shall:

• Provide a privacy notice to data subjects prior to or at the time of collecting personal data;

• Process personal data strictly in accordance with the stated purposes and on lawful bases as required by law;

• Implement appropriate security measures to prevent personal data breaches in accordance with the Personal Data Protection Law;

• Establish measures to prevent unauthorised or unlawful use or disclosure of personal data;

• Maintain procedures for reviewing, deleting, or destroying personal data once the retention period has expired or when such data is no longer necessary for the stated purposes;

• Establish measures for notification and management of personal data breach incidents;

• Enter into personal data processing agreements with data processors; and

• Perform any other duties as required under the Personal Data Protection Law.

Article 5: Roles, Duties, and Responsibilities

• Management shall be responsible for supervising and ensuring that all departments comply with this Policy, as well as promoting awareness among employees to integrate personal data protection into the Company’s operations.

• Employees shall be responsible for performing their duties in compliance with this Policy, operational procedures, and applicable personal data protection laws.

Article 6: Sanctions

Any executive, employee, or responsible person who neglects, fails to act, improperly instructs, or improperly performs their duties in violation of this Policy and personal data protection practices, resulting in legal violations or damage, shall be subject to disciplinary action in accordance with the Company’s regulations and/or legal liability under applicable law.

Where such violations cause damage to the Company and/or any third party, the Company reserves the right to pursue legal action.