1. Principles and reasons

With the rapid advancement of information technology and communication systems, access to the collection, use and disclosure of personal data has become easy, convenient and fast, which may lead to damage to the data owner. In addition, the Personal Data Protection Act B.E. 2562 was announced in the Government Gazette on 27th May 2019 and has been effective since 1st June 2022 onwards.

The Company realizes the importance of personal data protection (Privacy Right) which must be protected under the Constitution of the Kingdom of Thailand and the Universal Declaration of Human Rights, which states that no person shall be subjected to arbitrary interference with his privacy, family, home or communications, or to attacks on his honor and reputation. Everyone has the right to be protected by law against such interference or attacks, including to support and respect the protection of human rights as proclaimed internationally, in accordance with the principles of the United Nations Global Compact, including the Personal Data Protection Act B.E. 2562. Therefore, the Company has announced a policy as a principle for the protection of personal data (Data Privacy).

2.Objectives
This Privacy Policy is established for the following purposes:
2.1 To protect the data of the owner of personal data who is a natural person in the transaction and/or use of service or have interest or are involved with the Company, including but not limited to the following persons:
a.Customers
b. Employees
c. Shareholders
d. Investors, creditors, debtors
e. Business partners, business partners
f. Persons hired by the Company to operate according to the Company's objectives, such as professional consultants, IT service providers, etc.
g. Persons who visit the Company's website or application
h. Persons who come to contact or use services in the Company's factory, warehouse, office, building or any place
j. Employee's family, beneficiaries under the life insurance policy, non-life insurance that the Company has provided
j. Persons who are referred, such as persons who are referred in the job application, offering products and services to the Company, etc.
2.2 To define the roles and responsibilities of agencies, executives and employees who are involved in personal data
2.3 To define procedures or measures for maintaining security in protecting personal data
2.4 To define guidelines for employees' work related to personal data
2.5 To create confidence in the security of personal data for the owner of personal data
2.6To collect, use or disclose personal data under legal basis and to process data only for the specified purposes, and will not disclose the collected personal data to external parties, except under the scope of the law where it can be done.

3. Scope of Use
This announcement shall be effective for the board of directors, executives and employees at all levels of Alucon Public Company Limited, including business partners, service providers and stakeholders of the Company, and shall apply to all activities and operations of the Company related to personal data.

4. Definitions
“Company” means Alucon Public Company Limited.
“Personal Data” means information about an individual, which enables the identification of that individual, directly or indirectly, but does not include information about the deceased.
“Sensitive Personal Data” means personal data that is at risk of being unfairly discriminated against (Sensitive Data). In this case, it means race, religion, sexual behavior, criminal history, health information, disability, genetic information, biometric data, or others as prescribed by law.
“Personal Data Owner” means a person who owns personal data, such as customers, business partners, service users, and employees.
“Personal Data Controller” means a person or legal entity who has the authority to make decisions regarding the collection, use or disclosure of personal data. In this context, it means a company, agency, or employee responsible for such personal data.
“Personal Data Processor” means a person or legal entity who performs the collection, use or disclosure of personal data at the instruction of, or on behalf of, the personal data controller. In this context, it means a business partner, person, or external company that the Company has hired.
“Person” means a natural person.
“Incompetent Person” means a person who is a minor, an incompetent person, or a quasi-incompetent person under the Civil and Commercial Code.
“Data Protection Officer” means a person appointed by the Company to act as a personal data protection officer under the Personal Data Protection Act B.E. 2562.
“Data Protection Coordinator” means a person who is designated or assigned under this Policy to be a personal data coordinator under the Personal Data Protection Act B.E. 2562.

5.Protection of Personal Data
5.1 Collection of Personal Data
Collection of personal data shall be carried out within the objectives and only as necessary within the framework of the objectives or for benefits directly related to the purpose of collection, and the owner of the personal data shall be informed before or at the time of collection of the data, of the following details:
1) Purpose of collection
2) Period of collection
3) Types of persons or agencies to whom personal data may be disclosed
4) Information or channels of contact with the Company
5) Rights of the owner of the personal data
6) Notification of the impact of not providing personal data In the event that the owner of the personal data does not provide personal data as specified or to enter into or perform a contract
However, in the following cases, consent from the owner of the personal data is not required:
(a) For public interest, research, statistics, or compliance with the law
(b) Actions are taken to prevent or suppress dangers to the life, body, or health of the owner of the personal data
(c) Necessary to perform a contract or to use in acting at the request of the owner of the personal data before entering into that contract
(d) Necessary in accordance with the duty to perform an action for the public interest or to perform duties assigned by the government or for the legitimate interests of the personal data controller or of any person or legal entity other than the personal data controller Legitimate interests are more important than the fundamental rights of the data owner.

5.2 Collection of personal data of persons with disabilities
Collection of personal data of which the data owner is a minor for any purpose that the minor cannot pursue legal action on his/her own, as prescribed by the Civil and Commercial Code, must be accompanied by the consent of the person exercising parental authority or the person acting on behalf of the minor, except in the case of a minor under 10 years of age, in which case the consent of the person exercising parental authority or the person acting on behalf of the minor must be obtained.
Collection of personal data of which the data owner is an incompetent or quasi-incompetent person must be accompanied by the consent of the guardian or the person acting on behalf of the minor.
5.3 Collection of sensitive personal data
The Company will not collect sensitive personal data unless it is necessary to collect it and must receive the express consent of the data owner, except in cases where the law stipulates that it can be collected without requesting consent.
5.4 Use and/or disclosure of personal data
The use and/or disclosure of personal data shall be in accordance with the purposes notified to the data owner before or at the time of collection, or is necessary for benefits directly related to the purpose of collecting personal data, and must receive the consent of the data owner, except in cases where the law stipulates that consent from the data owner is not required, or it is in compliance with the law.
Any other person or entity that receives personal data from the owner of the personal data agreeing to disclose personal data must use the personal data only for the purposes for which the owner of the personal data has agreed to provide it to the Company and as notified to the Company by that person or entity.

6. Quality of personal data
Personal data collected must be accurate, current, complete, not misleading, and must provide a channel for the owner of personal data to request or correct their personal data.

7. Roles and responsibilities
The Company requires employees or agencies related to personal data to give importance to and take responsibility for collecting, using or disclosing personal data in strict accordance with the Company's personal data protection policy and practices. The following persons or agencies are assigned to supervise and inspect the Company's operations to ensure that they are correct and in compliance with the policy and the Personal Data Protection Act:

7.1 Personal Data Controller
7.1.1 Provide appropriate personal data security measures and review them regularly to ensure that they are effective and up-to-date with changing technologies.
7.1.2 Define the scope of personal data management in accordance with the law.
7.1.3 Provide a system to inspect the collection of personal data in accordance with the law.
7.1.4 Record personal data as required by law.
7.1.5 Make an agreement with a personal data processor, legal entity or other external person. If personal data is disclosed, the hired personal data processor, legal entity or other external person must have security measures in place for the collection, use and/or disclosure of personal data in accordance with this policy. And according to the Personal Data Protection Act B.E. 2562
7.2 Personal Data Processor
7.2.1 Carry out operations related to the collection, use and/or disclosure of personal data in accordance with the instructions received from the personal data controller.
7.2.2 Provide appropriate measures for the security of personal data.
7.2.3 Prepare and maintain records of personal data processing activities.
7.3 Data Protection Officer
7.3.1 Prepare and review the personal data protection policy and the Company's personal data protection practices to be complete and accurate as required by law.
7.3.2 Provide advice on various matters related to personal data protection to the Company's executives, employees and business partners.
7.3.3 Inspect the operations of the personal data controller and the personal data processor.
7.3.4 Supervise the Company's various departments and business partners to operate in accordance with the Company's personal data protection policies and practices.
7.3.5 Report the performance of the Company's various departments and business partners to the executives.
7.3.6 Coordinate and manage complaints or requests to exercise the rights of personal data owners who have been contacted or requested by the personal data owner.
7.3.7 Coordinate and cooperate with the Personal Data Protection Committee Office. In the event of any problems regarding the collection, use or disclosure of personal data of the Company and its business partners
7.3.8 notify the Personal Data Protection Committee Office of the personal data breach within 72 hours of becoming aware of the incident as far as possible.
7.4 Law Office, Business Group
7.4.1 Provide advice, recommendations and opinions on operations in compliance with the Personal Data Protection Act
7.4.2 Review/prepare related documents and contracts to comply with the Personal Data Protection Act
7.5 Risk Management Working Group
7.5.1 Search for and identify risks in activities or operations of various departments of the Company related to the collection, use and/or disclosure of personal data
7.5.2 Assess risks by determining the risk level of each activity or operation and identify the acceptable residual risk (Risk Appetite)
7.5.3 Monitor each unit to operate within the acceptable residual risk
7.5.4 Review the risk level of each unit's activities or operations annually
7.5.5 Prepare a report and report the risk to the risk management working group and the risk management committee
7.6 Internal audit unit/external auditor
7.6.1 Audit the work of those involved with personal data
7.6.2 Internal audit unit reviews documents, processes, and assesses the effectiveness of maintaining the security of the system related to personal data
7.6.3 Arrange for the external auditor to review documents, processes, and assess the effectiveness of maintaining the security of the system related to personal data annually
7.6.4 Report the audit results to the Company's Audit Committee

8. Security
For the benefit of maintaining the confidentiality and security of personal data, the Company has the following measures:
8.1 Define the rights to access, use, disclose, process personal data, including displaying or confirming the identity of the person accessing or using personal data, and provide security measures Including the process of reviewing and evaluating the effectiveness of such security measures, in strict accordance with the Company's Information Technology Security Policy.
8.2 In sending, transferring personal data abroad, including storing personal data on a database in any other system, which requires the service provider to receive the data or the service provider to store the data abroad, the destination country where the data is stored must have measures to protect personal data that are equivalent to or better than the measures in this policy.
8.3 In the event of a breach of the Company's security measures, resulting in a breach of personal data, the Company will proceed in accordance with the Data Breach Handling Policy and as required by law. If the breach risks affecting the rights and freedoms of the owner of personal data, the Company will promptly notify the owner of the breach and the remedy measures to the owner of the personal data. The Company will not be liable for any damages resulting from the owner of personal data or any other person who has received consent from the owner of personal data intentionally or negligently or neglecting the security measures, resulting in the use or disclosure of personal data to a third party or any other person.

9. Rights of Data Owners
The consent that the data owner has given to the Company to collect, use and disclose personal data remains valid until the data owner withdraws the consent in writing. The data owner may withdraw the consent or suspend the use or disclosure of personal data for any purpose by sending the data owner's request to the Company in writing as specified in this Section 10.
In addition, the data owner has the following legal rights:
• Right to access personal data (Right of Access)
• Right to request the transfer of personal data (Right to Data Portability)
• Right to request the correction of personal data (Right to Rectification)
• Right to object to the processing (Right to Object), request the deletion or destruction (Right to Erasure) and suspend the use of personal data (Right to Restriction of Processing)
• Right to withdraw consent (Right to Withdraw Consent)
• Right to be informed (Right to be Informed)
However, the rights of the data owner must not affect the rights and freedoms of other persons, which are in the performance of duties for the public interest or in accordance with the law. Or for research purposes, in accordance with the provisions of the Personal Data Protection Act B.E. 2562

10. Complaints, whistleblowing
In case of finding reasonable grounds to suspect or believe that there is a violation of the collection, use and/or disclosure of personal data, or the owner of personal data wishes to file a complaint or exercise the rights of the owner of personal data under this policy or the Personal Data Protection Act B.E. 2562, you can contact the Company's Personal Data Protection Officer at the contact details below.
Mr. Pitipong Archamongkol (Personal Data Protection Officer)
Alucon Public Company Limited
500 Moo 1, Soi Sirikam, Sukhumvit 72 Road, Samrong Nuea Subdistrict, Mueang Samut Prakan District, Samut Prakan Province 10270
Email Address: This email address is being protected from spambots. You need JavaScript enabled to view it.
Tel: 02-3980147 ext. 381
11. Training
The Company provides training and evaluation on compliance with the Personal Data Protection Act. To executives and employees at all levels. In this regard, the Data Protection Coordinator (DPC) must participate in the training and strictly require employees under his supervision who are involved with personal data to participate in the training.

12. Policy Review
The Company specifies a review of this policy at least once a year or in the event that the law is amended.

13. Violation
The Company will not compromise on the protection of personal data. Data processors or persons responsible for any operations under their duties related to the Personal Data Protection Policy, neglect or refrain from ordering or not performing or performing any actions in their duties, resulting in the collection, use and/or disclosure of personal data for the wrong purpose, violation of the owner of personal data, which is a violation of the policy and guidelines on personal data and/or as specified in the Personal Data Protection Act B.E. 2562, such employee shall be subject to disciplinary punishment in accordance with the Company's regulations. If such misconduct by an employee and/or any person causes damage to the Company and/or any other person, the Company may consider taking further legal action.