In compliance with the Personal Data Protection Act B.E. 2562 (2019) and other relevant laws, including any future amendments ("Personal Data Protection Laws"), 2J Solution and Service Co., Ltd. ("the Company") has established this Personal Data Protection Policy ("Policy") to describe details regarding the collection, use, and disclosure of personal data to the Company's personnel and employees in connection with the Company's business operations, in accordance with the Personal Data Protection Laws.

When collecting, using, or disclosing personal data, the Company must act under a legal basis as prescribed by the Personal Data Protection Laws and as set out in this Policy:

General Personal Data — the Company will collect personal data under one of the following legal bases:

• Vital Interest — prevention or suppression of danger to a person's life, body, or health
• Contract — performance of a contract or steps taken at the request of the data subject prior to entering into a contract
• Public Interest — performance of a task carried out in the public interest
• Legitimate Interest — purposes of the legitimate interests of the Company or a third party
• Legal Obligation — compliance with a legal obligation
• Explicit Consent — freely given, specific, and informed consent of the data subject

Sensitive Personal Data — the Company will collect sensitive personal data only upon obtaining explicit consent from the data subject, unless one of the following legal exceptions applies:

• To prevent or suppress danger to life, body, or health of a person when the data subject is incapable of giving consent for any reason (typically in emergency situations)
• The data has been made publicly available with the explicit consent of the data subject
• It is necessary to comply with laws for the following purposes:
  • Preventive medicine or occupational medicine, assessment of an employee's working capacity
  • Public health interests
  • Labor protection, social security, national health insurance, or welfare relating to medical treatment under the rights of entitled persons, where collection is necessary for the exercise of rights or obligations of the Company or the data subject
  • Scientific, historical, or statistical research, or other public interest
  • Other significant public interests, such as collection for the purpose of preventing communicable diseases or epidemics, or collection and disclosure to government agencies for the purpose of anti-money laundering

Details regarding the types, purposes, and legal bases of the Company's personal data collection will be set out in the Privacy Notice for each category of data subject.

The Company shall consider and collect only the minimum personal data necessary to achieve its stated purposes, and shall delete or destroy any unnecessarily obtained data — particularly sensitive personal data.

For example, when processing personal data from a copy of an ID card to verify a person's identity, the Company generally requires only general personal data (such as name, surname, ID number, and photograph). If sensitive personal data appears on the copy (such as religion or blood type), the Company will redact such information, retaining only what is necessary for identification purposes.

This minimizes the risk of unlawful collection, use, or disclosure of personal data and reduces the risk of data breaches.

Whenever the Company collects personal data, it must provide a Privacy Notice to data subjects — such as job applicants, personnel and shareholders, customers, business partners, or any other persons from whom personal data is collected — to explain how their personal data is collected and processed. The Privacy Notice must contain at least the following:

1. Purpose of personal data collection
2. Legal basis for collection
3. Notification of cases where the data subject is required to provide personal data to comply with a law or contract, or to enter into a contract, including the consequences of failing to do so
4. Categories of personal data to be collected
5. Retention period (or, where this cannot be determined, the expected retention period)
6. Categories of persons or entities to whom the data may be disclosed
7. Rights of the data subject
8. Company contact details (and contact details of any representative or Data Protection Officer, where applicable)
9. Any other relevant information necessary for the data subject to understand and, where applicable, make an informed decision about giving consent

The Privacy Notice must be provided to data subjects before or at the time of collection. Where data was collected before this Policy came into effect and the Company continues to use it, the Privacy Notice must be provided as soon as possible.

Re-notification is not required if the data subject has already received the Privacy Notice, unless the Privacy Notice is subsequently amended, in which case the updated version must be re-issued.

Generally, the Company will collect personal data directly from the data subject — for example, through verbal communication or submission of documents.

Where it is necessary to collect personal data from other sources or third parties, the Company must: (a) notify the data subject of such collection and provide the Privacy Notice without delay and no later than 30 days from the date of collection; and (b) obtain consent from the data subject where collection is based on consent — except where the data is to be used to contact the data subject, in which case the Company shall notify the data subject at first contact, or where the data is to be disclosed, in which case the Company shall notify the data subject before first disclosure.

In some cases, notification under (a) may not be required if the Company can demonstrate that notification is impossible or would obstruct the use or disclosure of data, or that the data subject already has knowledge of the relevant details.

Where the Company engages a Data Processor to act on its behalf, the Company may authorize the Data Processor to provide the Privacy Notice on its behalf, provided that the Data Processor complies with this Policy accordingly.

The Company acknowledges that data subjects have the right to take actions with respect to their personal data held by the Company, as prescribed by the Personal Data Protection Laws. The Company must provide a request form to facilitate the exercise of these rights. Where the Company has grounds to refuse a request, it must notify the data subject in writing and record the grounds for refusal in writing.

The rights of data subjects are as follows:

1. Right to withdraw consent
2. Right to access and receive a copy of personal data
3. Right to data portability
4. Right to object to the collection, use, or disclosure of personal data
5. Right to erasure of personal data
6. Right to restriction of use of personal data
7. Right to rectification of personal data
8. Right to lodge a complaint

All employees and personnel of the Company are obligated to comply with the Personal Data Protection Laws and this Policy, to maintain strict confidentiality of personal data, and not to misuse, exploit for personal benefit, or unlawfully use any personal data obtained in the course of their duties. Responsibilities are defined by level as follows:

• Designate a Data Protection Officer (DPO) and/or other persons or units to serve as the central point for personal data protection matters
• Assign employees to establish personal data protection practices, including risk management procedures and breach response plans
• Ensure regular review and monitoring of compliance with this Policy
• Approve policy-level decisions regarding personal data protection, including amendments to this Policy
• Review and approve responses to data subject requests that may have a significant impact on the Company, the data subjects, or others

• Analyze, assess, monitor, and supervise the Company's personal data processing activities and advise internal departments
• Review and approve departmental personal data protection practices and breach response procedures
• Advise on responses to data subject requests with significant impact
• Report personal data processing matters to senior management
• Liaise with the Personal Data Protection Office (PDPO) and report data breaches within the legally required timeframes
• Monitor developments in personal data protection laws and inform Company personnel
• Raise awareness and provide training to personnel on personal data protection

• Authorize access to personal data and assign responsibility for data management within their departments
• Establish departmental practices and training on personal data protection
• Implement appropriate security measures for personal data in their departments
• Approve responses to data subject requests and consult with relevant departments, the DPO, and management where significant impact may arise
• Maintain records of data collection, use, and disclosure in accordance with this Policy
• Receive and assess breach reports from subordinates, consult with the DPO and management, and initiate appropriate remedial action

• Collect, use, and disclose personal data in compliance with this Policy and participate in personal data protection training
• Fulfill assigned duties related to personal data management, including security, transmission, disclosure, and record-keeping
• Report to supervisors any collection, use, or disclosure of personal data believed to be unlawful or that may pose risks to data subjects' rights and freedoms
• Report to supervisors any data subject rights requests received, for approval
• Immediately report any known data breach to supervisors, regardless of whether it was intentional or negligent, and regardless of the level of risk involved

Where the Company engages a business partner acting as a Data Processor, the Company must enter into a Data Processing Agreement (DPA) with that party, requiring strict compliance with the Personal Data Protection Laws and this Policy, including the following obligations:

• Collect, use, and disclose personal data only within the scope of the Company's instructions as set out in the DPA, and attend training when requested
• Implement appropriate security measures to prevent loss, unauthorized access, use, alteration, or disclosure of personal data
• Notify the Company of any personal data breach without delay and within 24 hours of becoming aware of it
• Assist the Company in responding to data subject rights requests

The Company must implement personal data security measures covering administrative safeguards, technical safeguards, and physical safeguards with respect to access control, including at minimum:

• Control of access to personal data and storage/processing devices, balancing usability and security
• Definition of access authorization and rights for personal data
• User access management to restrict access to authorized persons only
• Definition of user responsibilities to prevent unauthorized access, disclosure, copying, or theft of personal data or devices
• Implementation of audit trail mechanisms to track access, modification, deletion, or transfer of personal data, appropriate to the methods and media used

These measures must be reviewed as necessary or as technology evolves, to maintain appropriate security standards as required by law.

The Company must maintain records of personal data collected and processed, including at minimum:

• Personal data collected, along with the purpose and retention period
• Use or disclosure of personal data under legal bases other than consent
• Rights of data subjects, and the methods and conditions for exercising access rights
• Refusals or objections to rights requests, with reasons as specified in this Policy
• Description of the security measures implemented by the Company

These records enable data subjects to verify and enforce their rights as notified to or requested from the Company.

The Company may transfer personal data to foreign countries or international organizations in the following cases:

• The destination country has been recognized as having adequate personal data protection standards
• Where the destination country has inadequate standards, the transfer must fall within one of the following exceptions:
  • Compliance with law
  • Consent of the data subject, after being informed of the inadequate standards of the destination
  • Necessity to perform a contract to which the data subject is a party, or to take pre-contractual steps
  • Performance of a contract between the Company and another party for the benefit of the data subject
  • Prevention or suppression of danger to life, body, or health when the data subject is unable to give consent
  • Necessity for an important public interest task
• For transfers within the same corporate group, the Company may transfer personal data without meeting the above conditions, provided a Binding Corporate Rules (BCR) policy has been reviewed and certified by the Personal Data Protection Office (note: the Company currently has no such intra-group transfer policy)

Currently, the Committee has not designated any countries as having adequate protection standards, nor certified any BCR policies. However, the Company may still transfer personal data internationally where it has implemented appropriate protection measures, enforceable data subject rights, and effective legal remedies in accordance with legally prescribed standards. As such standards have not yet been established in law, the Company may proceed under the conditions in Section 10.2 until further legislation is enacted.

Upon discovering a personal data breach, all employees and personnel must coordinate to investigate the cause and identify corrective measures to prevent recurrence. The Company must notify the Personal Data Protection Office within 72 hours of becoming aware of the breach, to the extent practicable. Where the breach poses a high risk to the rights and freedoms of data subjects, the Company must also notify the affected data subjects and provide remedial guidance without delay.

This Personal Data Protection Policy may be amended as appropriate in accordance with changes in law and business requirements.

For further questions regarding personal data protection, additional documents may be downloaded via the links below:

• A1 – (EN) Data Protection Policy v.1.0
• A1 – (TH) Data Protection Policy v.1.0

To report a personal data breach, please contact: