Personal Data Protection Policy

T.K.S. Group (the "Company") recognizes the importance of personal data protection and respects the privacy rights of all relevant parties. The Company oversees and manages personal data, and places importance on protecting the personal data of customers, employees, and business partners. For this reason, the Company has implemented retention and protection measures in accordance with the standards set forth in the Personal Data Protection Act B.E. 2562 (2019) and other related laws.

Definitions

• "Company" means T.K.S. Group, comprising T.K.S. Technology Public Company Limited and its subsidiaries, which are Siam Press Company Limited, and Gofive Company Limited.
• "Personal Data" means any information relating to a person which enables the identification of such person, whether directly or indirectly, but excluding the data of the deceased.
• "Data Controller" means a person or a juristic person having the power and duties to make decisions regarding the collection, use, or disclosure of Personal Data.
• "Data Processor" means a person or a juristic person who operates in relation to the collection, use, or disclosure of Personal Data on the instructions of or on behalf of the Data Controller. In this regard, the person or juristic person who operates in such a manner is not the Data Controller.
• "Data Subject" means customers, employees, and business partners who are natural persons.
• "Person" means a natural person.

Objectives for Establishing the Personal Data Protection Policy

The Company establishes this Personal Data Protection Policy to protect the data of the Company's customers, employees, and business partners when conducting various transactions with the Company, ensuring safety and reliability. This policy aims to ensure that Data Subjects receive effective protection and are protected against unauthorized use of their Personal Data, as well as to provide remediation to Data Subjects in accordance with relevant laws.

Collection of Personal Data

The Company will only collect Personal Data from the Data Subject as necessary for providing services and operations, and only upon receiving written or electronic consent from the Data Subject , in compliance with relevant laws. The Company will not collect Personal Data concerning race, religion or philosophy, health data, biometric data, disability, identity, or any other data from any other source without the prior consent of the Data Subject.

Purposes of Personal Data Collection

The Company will collect, use, adjust, and disclose the Personal Data of the data provider in accordance with the specified purposes, scope, and methods stipulated by law. The collection will be limited to what is necessary for the Company's services and operations, primarily for the benefit of the Data Subject, and for other purposes as permitted by law, including the following objectives:

1. To be used for processing, managing, considering the provision of services, and various operations related to the Company's existing and potential future businesses , including any actions for the benefit of the Data Subject , as well as for preparing the Company's accounts, financial statements, and accounting information.
2. To submit Personal Data to the National Credit Bureau Co., Ltd. for the purpose of credit approval , or to any other relevant government agencies for the benefit of considering credit for the data provider.
3. To be used for tracing and collecting installment payments under hire-purchase agreements and any other debts (if any) from the Data Subject, for which the Company has the legal right.
4. To be used for amending, canceling, and/or renewing hire-purchase agreements, employment contracts, and any other contracts between the Data Subject and the Company.
5. To be used as data for analysis, to propose for market research, and/or for organizing sales promotion activities, and/or for the benefit of database creation , and to use the data to offer benefits tailored to the Data Subject's interests, and/or to improve the Company's services, operations, or products.
6. To comply with regulations, announcements, bylaws, and any other requirements that the Company is obligated to follow by law.
7. For presenting information, follow-up, coordination, and after-sales service, as well as for providing electronic services.
8. To conduct any other related operations to achieve the objectives mentioned above.

Limitations on the Use of Personal Data

The Company will retain Personal Data in accordance with legal standards and will not use or disclose such data to third parties without the consent of the Data Subject, unless it is for compliance with the purposes stated above or as required by law. Personal Data will be disclosed to the following relevant agencies or individuals:

1. The Company's business partner group, including relevant government agencies, for services in processing, managing, considering the provision of services, and various operations that the Data Subject has received and may receive in the future.
2. National Credit Bureau Co., Ltd., including affiliated companies, the same business group or network, or other relevant agencies.
3. Employees, authorized persons, agents, or brokers of life insurance companies, non-life insurance companies, including affiliated companies, the same business group or network, or other relevant agencies.
4. Employees, authorized persons, agents, individuals, or juristic persons providing vehicle registration services and/or debt collection services and/or the Company's auditors and/or services and various operations related to the Company's existing and potential future businesses.
5. Employees, authorized persons, agents, individuals, juristic persons, or any other agency to comply with legal requirements or to establish the Company's contractual rights.

Rights of the Personal Data Subject

The Company places importance on the rights of the Personal Data Subject. Therefore, the rights of the Data Subject regarding their Personal Data collected by the Company have been defined to be in accordance with the law, as follows:

1. To request access to and obtain a copy of the Personal Data related to them, which is under the responsibility of the Company, according to the criteria and methods specified by the Company, or to request the disclosure of the source of the Personal Data that was obtained without their consent.
2. To obtain the Personal Data related to them from the Company in cases where the Company has made the Personal Data into a format which is readable or commonly used by automated tools or devices, and the Personal Data can be used or disclosed by automated means.
3. To object to the collection, use, or disclosure of the Personal Data related to them that the law permits to be collected without the data provider’s consent, at any time.
4. To request the Company to erase, destroy, or make the Personal Data non-personally identifiable in cases specified by law.
5. To request the Company to restrict the use of the Personal Data in cases specified by law.
6. To notify the Company to ensure that the Personal Data is accurate, current, complete, and not misleading.
7. To lodge a complaint in the event that the Data Controller or Data Processor, including employees or contractors of the Data Controller or Data Processor, violates or fails to comply with the Personal Data Protection law.

Withdrawal of Consent

The Data Subject can withdraw the consent given to the Company for the collection, use, or disclosure of the Personal Data mentioned above at any time , by notifying the Company of their intention and the reasons thereof. The Company will proceed as requested, unless there are legal or contractual limitations on the right to withdraw consent that benefit the Data Subject.

The withdrawal of consent by the Data Subject will not affect the collection, use, or disclosure of the Personal Data for which the Data Subject had previously given consent.

Refusal and Record Keeping

In the event that the Data Subject requests the Company to proceed as specified in clauses 6.1-6.7 or clause 7, the Company will proceed in accordance with the request within a reasonable time and according to the Company's procedures. However, the Company may refuse to comply with the request in the following cases:

1. It is inherently impossible to comply with the request.
2. The refusal is based on the law or a court order, and accessing and obtaining a copy of the Personal Data may cause damage to the rights and freedoms of others.
3. The transmission or transfer of Personal Data is a performance of duties for the public interest or a performance of duties under the law, or the exercise of such right may violate the rights or freedoms of others.
4. The Data Controller demonstrates a crucial legitimate ground for the collection, use, or disclosure of the Personal Data that is overriding.
5. The collection, use, or disclosure of the Personal Data is for the establishment of legal claims, compliance with or exercise of legal claims, or raising a defense against legal claims.

In the event that the Company refuses to proceed with any request from the Data Subject under clauses 6.1-6.7 or clause 7, the Company will prepare a refusal record report along with the reasons for the refusal. This record will be stored in the department, division, or any other unit within the Company that refused the Data Subject's request.

Security Measures

The Company recognizes the importance of security in the retention, use, and disclosure of the Data Subject's Personal Data. Therefore, the Company has implemented an international standard network security technology system for accessing Personal Data to prevent unauthorized access, destruction, disclosure, use, or reproduction of Personal Data, or any action unlawful.

Furthermore, the Company's Board of Directors has established policies, operational procedures, guidelines, and provided training on the knowledge of retaining, using, and disclosing Personal Data. This is to ensure that the Company's employees at all levels retain, use, and disclose Personal Data in compliance with the Company's standards and relevant laws.

Data Protection Officer (DPO)

To ensure the efficient retention, use, and disclosure of Personal Data, the Company has appointed a Data Protection Officer (DPO) to perform the duties stipulated in the Personal Data Protection Act B.E. 2562 (2019). The DPO will be responsible for inspection, providing advice, and coordinating with the Data Subject, the Data Processor, and the Personal Data Protection Committee Office regarding the retention, use, and disclosure of Personal Data.

Personal Data Retention and Destruction Period

The Company will retain the data received from the Data Subject only for the period necessary for the operations required to achieve the objectives mentioned above. This is unless a longer period is specifically prescribed by law, or is necessary for the establishment of legal claims, compliance with or exercise of legal claims, raising a defense against legal claims, or for carrying out a contract for which the Company has the legal right.

Revision of the Personal Data Protection Policy

This policy mandates a regular review at least once a year, or when there are changes in circumstances.

Contact and Exercise of Rights

If you have any questions or require further details regarding the collection, use, disclosure, and protection of your Personal Data, or if you wish to exercise your rights under the Personal Data Protection law , you can contact:

T.K.S. Technology Public Company Limited

• Contact Address: 30/88 Moo 1, Jesadawithi Road, Khok Kham Sub-district, Mueang District, Samut Sakhon Province
• Telephone Number: 0-2784-5888 (50 lines)
• Data Protection Officer (DPO): [email protected]