Personal Data Privacy Policy

1. Scope: This Personal Data Protection Policy must be applied to personal data in which the Company may collect,
gather, use, disclose or transfer. Such policy belongs to the Company, the Company’ s employees, personnel, staff,
representative and authorized person related to personal data analysis who acts according to order or on behalf of
the Company

2. Definition Referred to in this Policy
2.1 Processing refers to any operation in relation to personal data, for examples, data collecting, recording,
organizing, structuring, amending, recovering, disclosing, transferring, transmitting, declaring, consolidating, erasing
or damaging the data.
2.2 Personal Data refer to data of a person which help identify such person, whether directly or indirectly; for
examples, first name, last name, Email, telephone number, IP Address, photographs, nationality, religion, political
opinion, genetic data and Biometric data.
2. 3 Data Subject refers to a person who own such data which could be identified by their personal data, whether
directly or indirectly.
2.4 Data Controller refer to a natural or juristic person who proceeds with the processing.
2. 5 Data Processor refer to a natural or juristic person excluding the Company’ s employees which proceeds with the
collection, use, or disclosure of personal data according to the order or on behalf of the Company.
2.6 Company refers to Western Property Company Limited

3. Personal Data Privacy Policy: Governance Structure
3. 1 The Company shall organize the governance structure for the operation of personal data in compliance with the
laws as follows;
( 1) Organizational structure shall be conducted. Specific definition of roles, tasks and responsibilities of each
department and personnel shall be prescribed to enforce the governance, authority, obligation, procedure,
administration in compliance with Thai PDPA and the Company’s privacy policy.
( 2) To appoint the Data Protection Officer of the Company, whose roles and tasks may be as specified in the
Company’s Personal Data Protection Policy announced by the Committee of Personal Data Protection.
3.2 The Company shall prescribe policy, standards, guidelines, procedures and document related to personal data
protection in compliance with the laws and the Company’s privacy policy.
3.3 Performance management shall be implemented to regularly administrate the operation as to be in accordance
to the policy.
3.4 The Company may regularly conduct in-house trainings for its employees with the emphasis of the importance of
personal data. This is to ensure that any operation regarding personal data are performed by trained and experienced
personnel who proceed as orders and in accordance to the Company’s privacy policy.

4. Personal Data Privacy Policy: Data Processor
4.1 The Company as a Data Controller and Data Processor shall operate the processing of personal data, unbiased,
transparent and on the emphasis of the validity of personal data. The scope and purposes of processing and data
retention period shall be justifiable by the laws and the Company’s guidelines. The Company shall enforce strict
protection measures for the validity and safety of personal data.
4.2 Procedures and regulations for personal data processing shall be in accordance with the laws and the Company’s
privacy policy.
4.3 Record of Processing Activities (ROPA) shall be conducted on activities related to personal data processing and shall be as specified by the laws. The ROPA shall be amended once an amendment or related activities are executed.
4.4 Apparent process shall be regulated to ensure that the notice of purposes of the collection and processing of
personal data as well as the request of consent from Data Subject are in compliance with the laws. Strict measures
are created to operate and verify such process.
4.5 The measures for validation of personal data shall be established including the approach to amend and correct
such data.
4.6 In case of a transfer, transmit or disclosure of personal data to other parties, the Company will conduct an
agreement with the assignee who receives or uses personal data on the authority and obligation as prescribed by the
laws and the Company’s privacy policy.
4.7 In case of an international transfer of personal data, the Company will strictly comply with the laws.
4.8 The Company will cease the storage of documents containing personal data once the retention period has come
to an end as is subject to relevant laws and regulations.
4.9 Risk assessment shall be executed and related policy be implemented for the reduction of risks and effects
which may occur by the assessment.

5. Personal Data Privacy Policy: Affirmation of Data Subject’s rights
The Company shall process to establish measures, channels and procedures for Data Subject to exercise his/her rights
by laws and will keep any record and analysis of Data Subject’s request.

6. Personal Data Privacy Policy: Personal Data Protection
6.1 Adequate security policy shall be implemented and protection measures to prevent the breach and unauthorized
use of such data shall be conducted.
6.2 Corporate governance policy of incidents regarding personal data and response measures for such incidents
shall be executed for immediate identification and management of any incidents that may occur.
6.3 The Company may inform Data Subject including government officers, Data Controller (in case Company acts as
Data Processor or joint Data Controller) and related personnel as prescribed by the laws.

7. Personal Data Privacy Policy: Enforcement and Regulation of Personal Data Protection Policy
7.1 The Company shall monitor and inform Data Subject in case the amendment of laws is enforced and would, from
time to time, ameliorate the Company’s privacy policy in accordance with the laws.
7.2 The Company shall review and amend the policy, standards, guidelines, procedures and document related to
personal data protection in compliance with the laws and circumstances during a particular period of time.

8. Roles, Obligation and Responsibilities
8.1 Committee are obliged to the roles and responsibilities as follows;
(1) To regulate the governance structure for personal data and related internal operation as prescribed by the
laws and the Company’s privacy policy.
(2) To oversee and support the Company to effectively safeguard personal data in accordance to the laws.
8.2 Executives are to supervise subordinates or associate institute to comply with the Company’s privacy policy and
to emphasize on the importance of awareness of such Policy to employees.
8.3 Data Protection Officer are, according to the laws, obliged to;
(1) Ensure that Data Controller is informed about the status of personal data protection and to give advice and
recommendations for the development of the Company’s protection measures in compliance with the laws.
(2) Give advice to employees regarding the laws and the Company’s privacy policy.
(3) Inspect the operation of the Company’s institute to be as prescribed by the laws and the Company’s privacy
policy.
8.4 Employees are obliged to;
(1) Perform any task in accordance to the Company’s Personal Data Protection Policy, standards, guidelines,
procedures and document related to personal data protection in compliance with the laws and the Company’s
privacy policy.
(2) Report any incident related to personal data protection and breaching of the laws and the Company’s
privacy policy to their superiors.
Penalty for Breach of the Company’s Personal Data Protection Policy
Breach of the Company’ s privacy policy may consider offensive and may be disciplined and punished according to
the laws.

9. Contact Information
If you have any inquiries or questions regarding the Privacy Policy, please contact the Company via
dpo@westernproperty.co.th or by the following address;

Western Property Company Limited
9th Floor, 1550 Thanapoom Tower, New Petchburi Road, Makkasan, Ratthewi, Bangkok 10400
Tel: +66 2 207 0789