Personal Data Protection Center

This Personal Data Protection Notice for External Parties (the "Notice") is prepared to inform and make the data subjects understand about the purposes and methods of the collection, use, disclosure, and/or cross-border transfer of Personal Data, as well as the rights of the data subject, as detailed below.

Definitions

"Company" means PTT Exploration and Production Public Company Limited or PTTEP and its subsidiaries.

"Personal Data" means any information relating to a person, which enables the identification of such person, whether directly or indirectly, but not including information of deceased persons in particular.

"Sensitive Personal Data" means any Personal Data relating to a truly personal matter of a person, which is sensitive and potentially risks being used in a discriminatory or unfair manner, and is classified as sensitive personal data under Section 26 of the Personal Data Protection Act B.E. 2562 (2019), and as to be prescribed by the Personal Data Protection Commission.

"Data Processing" refers to the collection, use, or disclosure of Personal Data.

"Data Subject" means a natural person which can be identified with the Personal Data. However, it is not the case that a person has data ownership, nor creates or collects the data themselves.

Scope of Application

This Notice applies to Personal Data of the following external parties that the Company may collect, use, disclose, and/or cross-border transfer Personal Data.

1. The Company's clients – this includes only the Personal Data of their employees, personnel, officers, representatives, agents, any natural persons authorized to act on behalf of the juristic persons, directors, and other natural persons acting on behalf of the Company's corporate clients;
2. Vendors or business partners, outsourced service providers, and contracting parties – this includes only the Personal Data of:
   1. natural persons who were, are, or may in the future be the Company's vendors or business partners, outsourced service providers, or contracting parties; and
   2. employees, personnel, officers, representatives, agents, any persons authorized to act on behalf of the juristic persons, directors, and other natural persons acting on behalf of the vendor or business partner, outsourced service providers, and the Company's corporate contracting parties.
3. Partners, business alliances, and PTT group companies – this includes only the Personal Data of employees, personnel, officers, representatives, agents, any persons authorized to act on behalf of the juristic persons, directors, and other natural persons acting on behalf of the partners, business alliances, and PTT group companies;
4. Visitors and any external parties entering the Company's buildings, and visitors to, the Company's websites or applications;
5. Stakeholders, including the Company's directors and former directors, shareholders, investors, analysts, members of the mass media, community leaders, and participants in the Company's CSR activities and other activities;
6. Applicants for job or internship positions, and other persons to whom these persons refer, or whose information is provided for the Company by these persons; and
7. Other external parties, such as regulators, official authorities, and government agencies.

The details on Data Processing of each of these groups of persons are provided under each relevant section.

Cross-border Transfers of Personal Data

The Company may disclose and/or transfer your Personal Data to a person or organization located in a foreign country, possibly including data storage units located outside Thailand. Destination countries to which your Personal Data are sent or transferred may not have the same level of Personal Data protection standards as Thailand. In such cases, the Company will follow the procedures and implement measures to ensure adequate protection of Personal Data sent or transferred, and that the person or organization receiving Personal Data has reasonable Personal Data protection standards, or that the transfer complies with legal requirements, with your consent, or fall under exception as prescribed by law.

Security Measures

To protect your Personal Data from accidental, unlawful, or unauthorized destruction, loss, access, use, alteration, or disclosure, the Company will use appropriate technical, physical, and administrative measures which cover access control to Personal Data, and maintain its confidentiality, integrity, and availability in accordance with the minimum legal requirements. These measures include access restriction to the Personal Data and Personal Data storage and processing facilities which is safe and suitable for the collection, use, and disclosure of Personal Data. The Company also impose access right or permission of the users, user access management to limit access to the Personal Data to only authorized person, implement user responsibilities to prevent an unauthorized access, disclosure, knowledge, or copy of the Personal Data, or theft of storage or processing equipment. In addition, the Company also implement a method enabling the re-examination of unauthorized access, alteration, erasure, or transfer of the Personal Data.

Personal Data Storage and Retention Period

The Company stores your Personal Data as described below.

1. The Company stores your Personal Data in hard copies and electronic formats within the Company storage, including on shared drives, cloud systems, and the Company's document storage rooms with access restriction. The Personal Data retention period is also clearly specified.
2. The Company will storey our Personal Data only as necessary to fulfill the purposes as specified in this Notice, unless your Personal Data must be kept for longer than the specified period (such as in the case of a dispute), or the Company still has the right, or may rely on a legal basis to process your Personal Data, or it is required or permitted by laws to do so.
3. After the retention period, or if it is no longer necessary for the Company to retain your Personal Data, the Company destroy such Personal Data within 90 days after the expiration of that period.

Rights of the Data Subject

The data subject have the following rights.

1. The right to withdraw consent given for the collection, use, and/or disclosure of your Personal Data. This withdrawal of consent will not affect the collection, use, or disclosure of Personal Data to which consent has previously been given.
2. The right to access and obtain a copy of your Personal Data, and the right to request the disclosure of acquisition of your Personal Data obtained without consent, to the extent permitted by laws.
3. The right to rectify of your Personal Data
4. The right to delete of your Personal Data, in some cases, as permitted by laws.
   The right to restrict the use of your Personal Data, in some cases, as permitted by laws.
5. The right to port your Personal Data, in some cases, as permitted by laws.
6. The right to object to the collection, use, and/or disclosure of your Personal Data, in some cases, as permitted by laws.
7. The right to lodge a complaint with the Personal Data Protection Committee.

A Data Subject may exercise the aforementioned rights by submitting a written request or email to the Company using the request form as provided by the Company. The details how the rights can be exercised and contact channels are available in the "Personal Data Protection Policy" announced on the Company's website, https://www.pttep.com.

The Company will consider the request and inform you of the consideration result within 30 days from the date the request is received, or within the timeframe specified by laws. The Company may reject a request from the data subject to exercise the right if permitted by laws.

Revision and Amendments to the Personal Data Protection Notice

The Company will revise this Notice every three years, unless there is a material change to the law or the Company's operations. The Company will inform you of the material change before it takes effect. The Company may ask for your consent once again if it is required by law.

Contact Channel of the Company

Governance, Compliance, Internal Control, and Subsidiary Management Department
PTT Exploration and Production Public Company Limited
555/1 Energy Complex Building A, 6th, 19th - 36th Floors, Vibhavadi-Rangsit Road
Chatuchak Subdistrict, Chatuchak District, Bangkok 10900
Telephone: 66 (0) 2537-4000
Email: Complianceteam@pttep.com

Effective date: 1 October 2021