Policy for the Shareholder

Privacy Policy for Shareholders, Directors, and Advisors

Supalai (Public) Company Limited (“Company”) respects the rights to privacy of shareholders, directors, and advisors (“you”). To ensure your personal data is protected, this privacy policy has been issued to inform you of the details of the collection, use, and disclosure (together referred to as “process”), including the deletion and destruction of your personal data, both online channels, and any other channels as required under the Personal Data Protection Laws, as follows;

1. Objectives of the Process of Personal Data
  1. 1.1 To comply with the relevant laws such as the management of the Company (i.e. the increase of capital, decrease of capital, restructuring of the business, amendment of the company registrar), Shareholders Meetings, nomination and being the Company directors, Board of the Directors Meeting, management concerning the rights and duties of the shareholders, payment of dividend, accounting and audit report, legal documents, delivery of the documents or notice which includes any other legal liability as the listed Company in the Stock Exchange of Thailand.
  2. 1.2 For the legitimate interest of the Company or other persons i.e. the management of the Company, records of video or voice of the meeting, security, organizing of the activities, delivery of news or proposal for the benefit of the shareholders or directors, including the exercise of the legal claims
  3. 1.3 To prevent or mitigate the dangers against the life, body, or health of you or other persons i.e. the emergency contact, the control of communicable diseases.
2. The Collected Personal Data
  1. 2.1 The Company collects the personal data of the shareholders, including the attorney-in-fact or the proxy, by directly collecting such personal data from you or the Security Registrar such as name, surname, address, telephone number, email, point of contact, nationality, occupation, date of birth, tax ID, ID Card Number, Juristic Person Registration Number, bank account, number of shares.
  2. 2.2 The Company collects the personal data of the directors, advisors, and the nominated person for the directors by directly collecting such personal data from you and will disclose the data to the public as follows;
    1. (1) In the recruitment procedure, the Company collects personal data from the ID Card or any other documents issued by the governmental authorities which can be used for identity verification such as name, surname, gender, ID Card number, passport number, photograph, date of birth, nationality, place of birth, height.
    2. (2) For the directors and advisors, additional personal data will be collected such as the payment of remuneration, organizing training, activities, marital status, information of the spouse/cohabiting couples, children, parents, sibling, blood type, bank account, email, educational background, occupation, employment record, being the director or holding position in other Company or business, attendance of the Board of Directors Meeting or Meeting of Subcommittee, Shareholders Meetings, director’s remuneration, stock holding information, name of the broker, performance of the director, and other information as required by the law or the Good Corporate Governance principles.
  3. 2.3 The Company may collect your additional personal data when you attend any Company activities by requesting your consent on a case-by-case basis.
  4. 2.4 Company may need to collect and process sensitive personal data as determined by the Personal Data Protection Laws such as health information, food allergy information, and drug allergy information for organizing any activities or meetings participated by you. In such case, the Company will explicitly request consent from you on a case-by-case basis and will use our best endeavors to provide adequate security measures to protect your sensitive personal data
3. Use of Cookies

The Company uses cookies for the collection of the personal data as specified in the use of cookies policy

4. Request of Consents and potential effect of the Revocation of Consents
  1. 4.1 In case the Company collects and processes your personal data under your consent, you are entitled to revoke such consents given to the Company at all times. The revocation of the consent will not affect the collection, use, disclosure, or process of your personal data in which the consent had been given.
  2. 4.2 If you revoke any of the consent given to the Company or refuse to provide certain information, it may result that the Company cannot proceed to achieve the specific objective, partially or wholly, as determined in this Privacy Policy.
  3. 4.3 If you are under 20 years old, before giving consent, please specify details of your parental authority to the Company so that the Company can request consent from the parental authority as well.
5. The Retention Period of Personal Data
  1. 5.1 The Company will retain your personal data for the period as necessary to achieve the specific objectives accordingly to the type of personal data unless there is any law that permits a longer retention period. In case the retention period cannot be clearly determined, the Company will retain the personal data as the period to be expected, which is in accordance with the standard for which the personal data is collected (i.e. general maximum statutory period under the law of 10 years).
  2. 5.2 The Company provides the inspection system to delete or destroy personal data after the expiry of the retention period, not being relevant, not necessary for the objectives of the collection of such personal data.
6. Disclosure of Personal Data to Others
  1. 6.1 The Company discloses and shares your personal data with persons and juristic persons which are not in the group of the Company (“others”) for achieving the objectives in the collection and processing of the personal data as determined in this Privacy Policy such as governmental agencies (such as Ministry of Commerce, Office of the Securities and Exchange Commission, Stock Exchange of Thailand, Thailand Securities Depository Co., Ltd., court or persons which involve in case), relevant service providers (such as organizers, financial institutes, insurers, and agent or insurance broker, securities companies, alliance and business partners, advisors, professional service providers, other persons who are necessary for achieving the objectives of the collection and processing of the personal data as determined in this Privacy Policy.
  2. 6.2 The Company will require the person receiving the personal data to provide the appropriate measures to protect your personal data, process the data only as necessary, and prevent unauthorized use or disclosure of personal data.
7. Security Measure for Personal Data
  1. 7.1 The security of your personal data is important. The Company implements the standard of technical security and appropriate operation to protect against the loss of personal data, unauthorized access, use, disclosure, misuse, modification/alteration, and destruction by using security technology and procedure such as encryption and restriction of access. This is to ensure that only the permitted persons can access your personal data. These persons have been trained on the importance of protecting personal data.
  2. 7.2 The Company provides the appropriate security measure for the prevention of the loss, access, use, modification, alteration, or disclosure of personal data from those who are unauthorized or have no obligation to such personal data. The review of the measures is organized when it is necessary or there is technology change to ensure that appropriate and efficient security measures are provided.
8. Your Privacy Rights on the Personal Data
  1. 8.1 You have the rights under the Personal Data Protection Laws, in summarized, as follows:
    1. (1) Revocation of the consent given to the Company in the processing of your personal data
    2. (2) Request for review and copy of your personal data or disclose the source of collection of your personal data
    3. (3) Send or transfer personal data, which is in digital format, as specified by Personal Data Protection Laws to other data controller
    4. (4) Objection of the collection, use, or disclosure of the personal data relevant to you
    5. (5) Delete or destroy or anonymization your personal data
    6. (6) Suspend the use of your personal data
    7. (7) Correct, update and complete your personal data so that it will not mislead
    8. (8) Complain to the Personal Data Committee in case the Company or the processor, including employees or service providers of the Company, or the processor of personal data violates or is non-compliance with the Personal Data Protection Laws. The Company will consider and notify you of the result of consideration as soon as possible within 30 days from the date that the Company receives such request. The exercise of the above rights shall be in accordance with the Personal Data Protection
  2. 8.2 You may exercise your rights by clicking here or visiting https://www.supalai.com/privacy- policy
9. Details of Data Controller and Data Protection Officer
  1. 9.1 Data Controller: Supalai (Public) Company Limited Address: 1011 Supalai Grand Tower, Rama III Road, Chong Nonsi Sub-district, Yannawa District, Bangkok, 10120
  2. 9.2 Should you have any queries on the personal data protection, please contact 0-2725-8888 extension 80014 or E-mail: dpo@supalai.com