Personal Data Protection Policy Veranda Resort Public Company Limited and its Subsidiaries

With awareness of the importance of personal data protection, Veranda Resort Public Company Limited and its subsidiaries (collectively referred to as the “Company”) hereby formulate the Personal Data Protection Policy (the “Policy”) in order to establish the purposes of the collection, the use, and the disclosure of personal data, the protection of personal data, the period of retention, as well as the rights of data subjects, so that the data subjects are aware of the personal data protection policy of the Company.

1. Definitions

“Personal data” means any information that can be used to identify a natural person (“data subject”), whether directly or indirectly, but shall not include, in particular, any information regarding deceased persons.

“Sensitive data” means any information that is intrinsically personal of any individual that is sensitive and may be subject to discrimination. For example, race, political opinions, beliefs, religion, philosophy, information of health or disability or any similar data which may affect the data subject.

“Data controller” means a person or a juristic person who has the power and duty to make decisions regarding the collection, use, or disclosure of personal data.

“Data processor” means a person or a juristic person who is engaged in the collection, use, or disclosure of personal data under the instruction of a data controller. The person or juristic person who is engaged in the above-mentioned activities is not considered a data controller.

2. Collection of Personal Data

The Company shall collect personal data in accordance with the purposes, scope, and procedures that are lawful. The personal data shall be collected to the extent that it is necessary for the operations under the purposes of the Company only. In this regard, the Company shall procure that the data subjects are aware of and obtain the consent of the data subject by electronic means or any other procedure specified by the Company. In the case that the Company collects sensitive data of a data subject, the Company shall obtain the express consent of the data subject before collecting sensitive data, with the exception of the collection of personal data and sensitive data that falls under the exemption under the Personal Data Protection Act B.E. 2562 (2019) or as prescribed by law.

3. Purposes of the Collection or use of Personal Data

The Company shall collect or use personal data of data subjects for the purposes specified in this Policy. and shall not use the personal data for any other purposes, unless consent has been granted by the data subject or as required by law as follows:

  1. In the interest of the operations and the provision of services of the Company;
  2. For improvement of the service quality and the enhancement of efficiency;
  3. In order for the Company to be able to perform obligations under agreements;
  4. In order to update the personal data;
  5. In order to prevent severe damage to health and life;
  6. For the legitimate interest of the Company and other persons, provided that such collection of personal data shall not be beyond the scope that the data subject may reasonably foresee, and that the rights of the data subject shall not be prejudiced; and
  7. In order to comply with the laws or regulations relating to the operations of the Company.

4. Disclosure of Personal Data

The Company shall not disclose any personal data of a data subject to any person without the consent from the data subject, and shall disclosure personal data in accordance with the purposes for which the Company has informed the data subject. Notwithstanding the foregoing, in the interest of the operations of the Company and the provision of services to the data subject, the Company may be required to disclose the personal data of the data subject to its subsidiaries, the internal auditor, the auditor, or other person or juristic person as prescribed by law.

5. Protection of Personal Data

The Company shall establish measures in safeguarding the security of the personal data that is in compliance with the applicable laws, regulations, criteria, and guidelines on the personal data protection for the employees of the Company and all concerned parties. In addition, the Company shall encourage and promote the employees to acquire knowledge and be aware of their duties and responsibilities in the collection, the retention, the use, the updating, and the disclosure of personal data. The Company shall adopt appropriate security measures to prevent any unauthorized access or breach of personal data, or any adjustment or destruction of personal data. In this regard, the employees of the Company shall comply with the Policy as specified by the Company in order for the Company be able to properly and efficiently comply with the Policy and the law on the personal data protection.

6. Control of Third-Party Service Providers

The Company may outsource the management of personal data to its third-party service providers, which includes a data processor. The Company shall appoint a service provider who has confirmed that it has the capability to properly manage personal data only, and the Company shall disclose personal data to the service provider in accordance with the scope of work and the provision of services, and shall enter into an agreement with the service provider in writing or in a similar means to ensure that the service provider shall properly manage personal data.

7. Period for Retention of Personal Data

The Company shall retain personal data for a period that is necessary in the interest of the operations or provision of services to the data subjects, or the period required by the relevant law.

8. Rights of Data Subjects

The data subjects of personal data shall have the following rights:

  1. Right to withdraw consent: The data subject has the right to withdraw consent for the processing of personal data that he or she has given to the Company, provided that any withdrawal of consent shall not affect the use, collection, or the disclosure of personal data to which the data subject has given his or her consent.
  2. Right to access personal data: The data subject has the right to access his or her personal data and to make copies of his or her personal data throughout the period his or her personal data is retained by the Company.
  3. Right to personal data portability: The data subject has the right to transfer his or her personal data given to the Company to other data controllers when such transfer is made possible by an automatic means or in accordance with the procedures specified by the Company.
  4. Right to object to the processing of personal data: The data subject has the right to object to the processing of his or her personal data by the Company
  5. Right to erase, destroy or suspend any use of personal data: The data subject has the right to request the Company to erase, destroy, or suspend any use of his or her personal data retained by the Company, or to request the Company to undertake any act rendering that the data cannot be used to identify the data subject provided that such undertaking is not against the law.
  6. Right to rectification: The data subject has the right to request the Company to rectify and update his or her personal data retained by the Company.

The data subject can request the Company to exercise the rights stated above by submitting a request for exercising the rights to the Company in writing or via an electronic mail in the form specified by the Company to the “Contact Channel” set out below. The Company shall consider the request and inform the data subject of the results of consideration within 30 days from receipt of the request. Notwithstanding the foregoing, the Company may decline the right of the data subject if it is required by law.

9. Review and Amendment of the Personal Data Protection Policy

The Company may amend or revise this Policy from time to time as it deems necessary in order to ensure that the Policy is in compliance with the law. Any amendment or revision to the Policy will be published on the Company’s website or any other channel that it deems appropriate.

10. Contact Channel

Contact: Data Protection Officer
Name: Ms.Pinitporn Pooyadaow
Address: Veranda Resort Public Company Limited 555 Rasa Building, Unit 2701-2704, 27th Floor, Phaholyothin Road, Chatuchak Subdistrict, Chatuchak District, Bangkok 10900
Telephone: 0-2513-3003
Email: [email protected]