PRIVACY POLICY

Pentai Legal Co., Ltd. (hereinafter referred to as the "Company") respects the right to privacy and places great importance on the protection of personal data of individuals who engage in transactions with, utilize services provided by, or are otherwise associated with the Company. Accordingly, the Company has established this Privacy Policy to provide clear and appropriate principles, mechanisms, governance measures, and management practices relating to the protection of personal data as follows.

Section 1: Principles and Rationale

In light of the rapid advancement of information technology and communication systems, access to, collection, use, and disclosure of personal data can be conducted easily, conveniently, and expeditiously, which may result in damage to data subjects.

Furthermore, the Personal Data Protection Act B.E. 2562 (2019) was published in the Royal Gazette on 27 May 2019. The Company recognizes the importance of personal data protection as a fundamental right protected under the Constitution of the Kingdom of Thailand and the Universal Declaration of Human Rights.

No person shall be subjected to arbitrary interference with his or her privacy, family, home, or correspondence, nor to attacks upon his or her honor and reputation. Every person has the right to the protection of the law against such interference or attacks.

The Company is committed to supporting and respecting the protection of human rights in accordance with internationally recognized standards, including the principles of the United Nations Global Compact (UN Global Compact) and the Personal Data Protection Act B.E. 2562 (2019). Accordingly, the Company hereby establishes this Policy as the governing framework for personal data protection.

Section 2: Objectives

This Privacy Policy is established to protect the personal data of Data Subjects who conduct transactions with, receive services from, have interests in, or are otherwise associated with the Company.

The objectives of this Policy are as follows:

2.1 To define the roles and responsibilities of departments, executives, and employees involved in the processing of personal data.

2.2 To establish procedures and security measures for the protection of personal data.

2.3 To provide operational guidelines for employees handling personal data.

2.4 To promote confidence in the security and protection of personal data among individuals, customers, business partners, service users, and other stakeholders associated with personal data.

2.5 To verify and authenticate individuals.

2.6 To investigate and prevent unlawful activities.

2.7 To conduct Data Analytics for legitimate and lawful purposes.

2.8 To facilitate human resource management for the Company and its affiliated entities.

2.9 To facilitate internal organizational administration.

2.10 To provide information to governmental authorities where required by law or upon lawful request by competent authorities.

2.11 To establish, exercise, defend, or enforce legal claims and legal proceedings.

2.12 To conduct business transactions relating to the Company's operations.

2.13 To comply with all applicable laws and regulations governing the Company.

Section 3: Scope of Application

3.1 This Policy shall apply to directors, executives, employees at all levels, business partners, service providers, and stakeholders of Pentai Legal Co., Ltd.

3.2 This Policy shall apply to all business activities and operations of the Company involving the collection, use, disclosure, storage, or processing of personal data.

Section 4: Definitions

“Company” means Pentai Legal Co., Ltd.

“Personal Data” means any information relating to an individual that enables the identification of such individual, whether directly or indirectly, excluding information relating to deceased persons. For the purposes of this Policy, an individual refers to a living natural person and excludes juristic persons.

“Sensitive Personal Data” means personal data relating to matters that are inherently private and sensitive in nature and may expose the data subject to the risk of unfair discrimination. Such data shall be processed with particular care and includes, but is not limited to, racial or ethnic origin, religious beliefs, sexual behavior, political opinions, criminal records, labor union information, health data, disability information, genetic data, biometric data, and any other information prescribed by law.

“Data Subject” means a person to whom the personal data relates and who can be identified by such personal data, regardless of ownership rights over the information or whether the individual created such information.

“Data Processor” means a natural person or juristic person that processes personal data on behalf of the Company, including vendors, contractors, external persons, or external organizations engaged by the Company.

“Person” means a natural person.

“Data Protection Officer (DPO)” means a person appointed by the Company to perform duties relating to personal data protection in accordance with the Personal Data Protection Act B.E. 2562 (2019).

“Data Protection Coordinator (DPC)” means a person designated or assigned to coordinate with individuals, organizations, or other parties and perform duties relating to personal data protection under this Policy.

Section 5: Personal Data Protection

The Company may collect Personal Data, including personal identification information, information relating to an individual's private life or personal interests, financial information, and Sensitive Personal Data. The sources and principles governing the collection of Personal Data are as follows:

5.1 Sources of Personal Data

The Company may obtain Personal Data from the following sources:

5.1.1 Direct Collection from the Data Subject

The Company may collect Personal Data directly from the Data Subject, including through the completion of forms, execution of contracts or other documents, job applications, responses to questionnaires in both paper-based and electronic formats, or when the Data Subject communicates with the Company through designated communication channels.

5.1.2 Collection Through Electronic Systems

The Company may collect Personal Data when a Data Subject accesses the Company's website, software, or applications, including through the monitoring of website usage behavior by means of cookies or software installed on the Data Subject’s device.

5.1.3 Collection from Third-Party Sources

The Company may collect Personal Data from sources other than the Data Subject, provided that such collection is lawful or that the Data Subject has consented to the disclosure of such information to the Company.

Such sources may include website searches, inquiries made to third parties, disclosures by affiliated companies, companies within the same corporate group, business partners, or other third parties for the purposes specified in this Policy.

The Company shall notify the Data Subject without undue delay from the date of collection from such sources and shall obtain consent where required by law, unless an exemption from notification or consent applies under applicable legislation.

5.2 Collection of Personal Data

5.2.1 Collection Principles

Personal Data shall be collected only for specified purposes and only to the extent necessary for achieving such purposes or purposes directly related thereto.

Prior to, or at the time of collection, the Company shall inform the Data Subject of the following:

1. The purpose of collection;
2. The retention period;
3. Categories of persons or organizations to whom the Personal Data may be disclosed;
4. Contact information of the Company;
5. Rights of the Data Subject; and
6. Consequences of failure to provide Personal Data where such provision is required by law or necessary for entering into or performing a contract 

5.2.2 Legal Bases for Collection

The Company shall collect only such Personal Data as is necessary for lawful purposes previously notified to the Data Subject.

The Company shall obtain explicit consent from the Data Subject prior to or at the time of collection unless collection is permitted without consent under applicable law, including the following circumstances:

(a) for the achievement of objectives relating to historical documentation, archives in the public interest, scientific or statistical research, provided that appropriate safeguards are implemented to protect the rights and freedoms of Data Subjects;

(b) where necessary to prevent or suppress danger to a person's life, body, or health;

(c) where necessary for the performance of a contract to which the Data Subject is a party, or to take steps at the request of the Data Subject prior to entering into such contract;

(d) where necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller;

(e) where necessary for the legitimate interests pursued by the Data Controller or another person or legal entity, provided that such interests do not override the fundamental rights and freedoms of the Data Subject; and

(f) where necessary for compliance with legal obligations applicable to the Data Controller.

5.2.3 Failure to Provide Personal Data 

Where the provision of Personal Data is required by law, contract, or is necessary for entering into a contract, failure by the Data Subject to provide such information may result in the suspension, postponement, or termination of relevant transactions or activities until the required Personal Data is provided.

This is because the Company may be unable to process the relevant information or because applicable laws may prohibit the continuation of such transactions or activities.

5.3 Collection of Personal Data of Persons with Limited Capacity

Where the Data Subject is a minor and the processing activity relates to a matter for which the minor is unable to provide consent independently under applicable law, consent must be obtained from the minor’s parent or legal guardian.

Where the Data Subject is an incompetent person or a quasi-incompetent person, consent must be obtained from the legal guardian or curator, as applicable.

5.4 Collection of Sensitive Personal Data

The Company shall not collect Sensitive Personal Data unless such collection is necessary and explicit consent has been obtained from the Data Subject.

This requirement shall not apply where collection without consent is permitted by law.

5.5 Retention of Personal Data

The Company shall retain Personal Data as follows:

1. Personal Data may be retained in documentary and/or electronic form.
2. Personal Data shall be stored in locations with restricted access controls, on computer servers (Servers), and/or on online cloud-based storage systems maintained by service providers within the Company's group.

Section 6: Use or Disclosure of Personal Data

The use or disclosure of Personal Data shall be limited to the purposes communicated to the Data Subject before or at the time of collection, or to purposes directly related to the original purpose of collection.

The Company shall obtain consent from the Data Subject prior to any use or disclosure of Personal Data unless such consent is not required by law or where the use or disclosure is necessary for compliance with legal obligations.

Any person or juristic entity receiving Personal Data based on the Data Subject’s consent or acting as a Data Processor shall use such Personal Data solely for the purposes consented to by the Data Subject and notified to the Company.

Such Personal Data shall not be used for any purpose other than those expressly authorized.

Section 7: Quality of Personal Data

Personal Data collected and maintained by the Company shall be accurate, up-to-date, complete, and not misleading.

The Company shall establish appropriate procedures and communication channels to enable Data Subjects to request access to, correction of, or updates to their Personal Data in order to ensure the accuracy and reliability of such information.

Section 8: Roles, Duties, and Responsibilities

The Company requires all employees and departments involved in the collection, use, disclosure, or processing of Personal Data to recognize the importance of Personal Data Protection and to strictly comply with this Policy and all related Personal Data Protection practices.

The following persons and organizational units shall be responsible for supervising and monitoring compliance with this Policy and applicable Personal Data Protection laws.

8.1 Data Controller

8.1.1 To implement appropriate Personal Data security measures and periodically review such standards to ensure effectiveness and alignment with evolving technologies.

8.1.2 To define and control the scope of Personal Data management and disclosure to third parties.

8.1.3 To establish monitoring and auditing systems to ensure that Personal Data management complies with applicable legal requirements.

8.1.4 To maintain records relating to Personal Data processing activities as required by law.

8.1.5 To enter into agreements with Data Processors, juristic persons, or external service providers where Personal Data is disclosed to such parties.

Any Data Processor, external person, or external organization engaged by the Company must implement appropriate security measures, and all collection, use, and disclosure of Personal Data must comply with this Policy and the Personal Data Protection Act B.E. 2562 (2019).

8.2 Data Processor

8.2.1 To collect, use, disclose, and otherwise process Personal Data only in accordance with instructions received from the Data Controller.

8.2.2 To implement appropriate security measures for the protection of Personal Data.

8.2.3 To prepare and maintain records of Personal Data Processing Activities.

8.3 Data Protection Officer (DPO)

8.3.1 To provide advice and recommendations relating to Personal Data Protection to the Company's executives, employees, and business partners.

8.3.2 To monitor the activities of the Data Controller and Data Processor to ensure compliance with applicable Personal Data Protection requirements.

8.3.3To coordinate and cooperate with the Office of the Personal Data Protection Committee in connection with any issues concerning the collection, use, or disclosure of Personal Data by the Company or its business partners.

8.4 Personal Data Protection Committee 

8.4.1 To establish and periodically review the Company's Privacy Policy and Personal Data Protection practices to ensure legal compliance and completeness. 

8.4.2 To provide legal consultation and guidance regarding Personal Data Protection matters.

8.4.3 To supervise the Company's departments and business partners to ensure compliance with this Policy and related Personal Data Protection procedures.

8.4.4 To report Personal Data Protection compliance and operational matters to the Chairperson of the Personal Data Protection Committee.

Section 9: Security Measures for Personal Data

For the purpose of maintaining the confidentiality, integrity, and security of Personal Data, the Company shall implement the following measures:

9.1 Access Control and Security Management

The Company shall establish and enforce access rights relating to the access, use, disclosure, and processing of Personal Data, including authentication and identity verification procedures for individuals accessing or using Personal Data.

Appropriate security measures, monitoring procedures, reviews, and effectiveness assessments shall be implemented and maintained in strict accordance with the Company's Information Security Policy.

9.2 International Data Transfer

Where Personal Data is transferred to a foreign country or stored on information systems located outside Thailand, including cloud-based storage services operated by overseas service providers, the destination country or recipient shall maintain Personal Data Protection standards that are equivalent to or higher than those required under this Policy.

9.3 Personal Data Breach Notification

In the event of a violation of the Company's security measures resulting in a Personal Data Breach, the Company shall notify the Office of the Personal Data Protection Committee within seventy-two (72) hours from the time the Company becomes aware of such breach, to the extent practicable.

Where the breach is likely to result in a high risk to the rights and freedoms of Data Subjects, the Company shall notify affected Data Subjects without undue delay and shall provide information regarding available remedial measures.

The Company shall not be liable for any damage arising from the intentional misconduct, negligence, or failure of a Data Subject or any person authorized by the Data Subject to comply with applicable security measures, where such conduct results in the unauthorized use or disclosure of Personal Data to third parties.

Section 10: Personal Data Processing

Upon receipt of Personal Data, the Company may collect, use, disclose, store, and otherwise process such Personal Data in accordance with the following provisions.

10.1 Collection Process

The Company shall collect Personal Data in documentary and/or electronic form only to the extent necessary for the provision of services, including electronic services, and solely for the purposes specified by the Company.

Personal Data shall be retained only for such period as is necessary to fulfill the stated purposes. The Data Subject represents and warrants that all Personal Data provided to the Company is accurate, complete, current, and lawfully disclosed.

The Company may combine Personal Data obtained from the Data Subject with information obtained from other lawful sources, provided that such combination is necessary and the Data Subject's consent has been obtained where required by law.

Such processing shall be undertaken for the purpose of maintaining accurate and up-to-date records and improving the quality and efficiency of the Company's services.

10.2 Use of Personal Data

The Company may use Personal Data where it determines that such use is beneficial to its business operations, necessary for compliance with applicable laws and regulations, or required for improving services and information security standards.

The Company may also use Personal Data for risk management, prevention of unlawful activities, compliance monitoring, communication with Data Subjects by telephone, electronic messages, e-mail, postal mail, or other communication channels, verification of information, surveys, and the provision of information relating to the Company's products and services where necessary.

10.3 Disclosure of Personal Data

The Company may disclose Personal Data to third parties solely for purposes relating to the Company's business operations and in accordance with the purposes communicated to and consented to by the Data Subject.

The Company shall not disclose Personal Data to any unauthorized third party without the Data Subject's consent, except where disclosure is required by law or made to governmental authorities, courts, law enforcement agencies, regulators, or other persons legally entitled to receive such information.

Section 11: Personal Data Retention Period

Personal Data for which the Data Subject has provided consent (Consent) or Personal Data collected and processed by the Company based on lawful grounds, including Contract, Legal Obligation, Vital Interests, Public Interest, Legitimate Interests, and Archives / Research / Statistics, may be collected, used, disclosed, processed, and retained in accordance with the purposes for which consent was obtained or as otherwise permitted by applicable law.

Such Personal Data shall be retained within the Company's data retention system as follows: