1. Definition

“Personal Data” means any information relating to a person which enables the identification of such Person, whether directly or indirectly, such as name, surname, ID number, passport number, but not including the information of deceased Persons in particular.

“Sensitive Personal Data” means any information relating to a particular person which is sensitive and presents significant risks to the person’s fundamental rights and freedoms, which includes data regarding racial, ethnic origin, political opinions, creeds, religious or philosophical beliefs, sexual behaviors, criminal records, health data, disabilities, labor union information, genetic data, biometric data, pictures, VDOs, voices, or any data which may affect the Data Subject in the same manner, as prescribed by the Personal Data Protection Committee.

2. Collection of Personal Data

The Group of Companies shall collect personal data within the purpose, scope, and lawful and fair methods as is necessary which is defined in the scope of the Company’s objectives. Accordingly, the Group of Companies shall inform the Data Subject to gain acknowledgment and consent through letter or electronic mail, except in condition that is unable to ask for consent with such aforementioned methods. In case the Group of Companies needs to collect sensitive data, the Group of Companies shall request explicit consent from the Data Subject before such collection, except for when this is allowed by the Personal Data Protection Act B.E. 2562, or other laws.

3. Purpose of Collecting and Usage of Personal Data

The Group of Companies shall collect or use personal data for the purposes or activities, such as the employment, procurement process, contract execution, financial transactions, annual general meeting, seminar, public relations, fraud preventing, security, collaborations, or other operation activities to improve the Company’s products, service, or processes; database preparation, customer requirement analysis, process analysis and development, and for other purposes which are not prohibited by laws and/or any other purposes which are in compliance with the legal obligations or regulations to which the Group of Companies are subject. The Group of Companies shall retain and use the Personal Data as long as necessary only for the above-mentioned purposes, or as prescribed by laws. The Group of Companies shall not conduct any processes which are different from the purposes as have previously been shared with the

Data Subject except for when:

(1) The Data Subject has been informed of such a new purpose, and prior consent is obtained;

(2) It is necessary for the Group of Companies to be in compliance with this Act or other laws or other regulators which supervise the Group of Companies.

4. Personal data disclosure

The Group of Companies shall not disclose personal data of the Data Subject without the consent of the Data Subject and shall disclose it solely for the above mentioned purposes. However, for the benefit of the Group of Companies operations and service provision to the Data Subject, the Group of Companies may disclose personal data to Company’s subsidiaries or other required persons, domestically and internationally, such as Thailand Securities Depository (TSD), service providers dealing with personal data. By disclose such personal data for specific purposes, the Group of Companies shall select the service provides that have adequate standard of personal data protection. The Group of Companies shall govern the above-mentioned persons to treat the personal data as confidential and not to use the data for purposes which are not covered in prior notifications.

The Group of Companies may disclose personal data of the Data Subject as required by laws and regulations, such as disclosing it to government agencies, state enterprises, and regulators. Also, the Group of Companies may disclose it by virtue of laws, such as requests for the purposes of litigation or prosecution, or requests made by the private sector or other persons involved in the legal proceedings.

5. Direction of Personal Data Protection

The Group of Companies shall establish measures including for the security of personal data in accordance with the laws, regulations, rules, and guidelines regarding the personal data protection for employees and other relevant persons. The Group of Companies shall promote and encourage employees to learn and recognize the duties and accountabilities in the collection, storage, usage, and disclosure of personal data. All employees are required to follow this policy and all guidelines regarding personal data protection in order for the Group of Companies to remain in compliance with this Act accurately and effectively.

6. Rights of Data Subject

The Data Subject is entitled to request any actions regarding their personal data as per the following:

(6.1) Right to request access to and obtain a copy of the related personal data

(6.2) Right to rectification

(6.3) Right to erasure

(6.4) Right to withhold

(6.5) Right to data transfer

(6.6) Right to object

(6.7) Right to withdraw the consent; however, any consent which was obtained earlier shall not be affected

Data Subject may request these rights by sending a notice or submitting e-mail by using form set by the Group of Companies which is able to download on www.bizalignment.com and submitting form to the channel following the Contact Information of this policy in topic no.9. The Group of Companies shall consider the right request received and inform the Data Subject not exceeding 30 days from the date of receiving such request.

In case that the Data Subject withdraws consent or deny giving some information, the Group of Companies may unable to achieve some objectives or all objectives that stated in the policy.

However, the Group of Companies may deny such a right subject to the exception by applicable laws or other regulators which supervise the Group of Companies.

7. Retention of Data

The Group of Companies will retain personal data in reasonable period of time in order to achieve the purposes for which the personal information is obtained and to be used as reference or investigate if necessary. However, unless the law allows longer retention periods, in the event that it cannot be clearly determined the period of retention of personal information, the Group of Companies will retain the information for a period that may be expected according to the standards laws (E.g. ,in general legal, the retention is up to 10 years)

8. Review and Changes of Policy

The Company may review this policy to ensure that it remains in adherence to laws, any significant business changes, and any suggestions and opinions from other organizations. The Company shall announce and review amended policies thoroughly on www.bizalignment.com

Contact Information

Business Alignment Public Company Limited

92/45 Sathorn Thani Building 2, 16th Floor, North Sathorn Rd., Bangrak Bangkok

E-mail : ir@bizalignment.com

โทรศัพท์ : 0-2636-6828-9