Personal Data Protection Policy
As PTT Exploration and Production Public Company Limited and its Subsidiaries (hereinafter referred to as the “Company”) are well-aware of the importance of the protection of personal data, this Personal Data Protection Policy was prepared to explain how the Company generally treats the personal data in general such as collection, storage, use and disclosure, also including rights of the data subjects, etc. Further details on the collection, use, and disclosure relating to Company's activities will be specified in the Personal Data Protection Statement relating to the data subjects in accordance with the law. To inform the data subjects of the Personal Data Protection Policy of the Company, the Company announces the following.
“Personal Data” means any information relating to a person which enables the identification of such Person, whether directly or indirectly, but not including the information of deceased Persons in particular.
“Sensitive Personal Data” means any information categorized by laws as sensitive personal data under Section 26 of the Personal Data Protection Act, B.E. 2562 such as racial or ethnic origin, political opinions, cults, religious or philosophical beliefs, sexual behavior, criminal records, health data, disabilities, trade union information, genetic data, biometric data, or any data which may affect the data subject in the same manner, as prescribed by the Personal Data Protection Committee.
“Personal Data Protection Committee” means the Committee appointed which has the duty and authority to regulate and issue the rules, measures, or any practices relating to Personal Data protection in accordance with the Personal Data Protection Act, B.E. 2562 (2019)
2. Collection of Personal Data
The Company shall collect personal data whether directly or indirectly, from the data subject or any other sources other than from the data subject within the lawful purpose, scope, and methods. The Company will collect Personal Data only as necessary to fulfil the Company's purpose by relying on a legal basis. The Company will collect Personal Data only as necessary to fulfil the Company's purpose by relying on a legal basis. The Company will inform the details to the data subject as required by the law. Where consent from the data subject is required, the Company will obtain consent from the data subject in the electronic form or any other Company's method. Where the Company collects Sensitive Personal Data, the Company will request for explicit consent from the data subject prior to the collection unless the collection of Personal Data and Sensitive Personal Data can rely on an exception under Personal Data Protection Act, B.E. 2562 (2019) or other laws.
In some cases, the Company needs to collect Personal Data for the performance of a contract or to enter into a contract, or for compliance with laws, including for fulfilling the purpose of the Company. Refusal to provide the necessary Personal Data may result in the inability to perform a contract, enter into a contract with the data subject, comply with laws which the Company is subjected, and/or inability to fulfil the purpose for the collection, use, and disclosure Personal Data.
3. Purpose of the Collection or Use of Personal Data
The Company will collect or use data subject’s personal data for the Company's business such as the procurement, contract execution, financial transactions, company’s activities, coordination, or for improving the quality of work to be more efficient e.g. making database, analysis and development of the Company's operation, and for any other purpose that is not prohibited by law, permitted by laws, and/or for compliance with laws or regulations relating to the Company's operation. The Company will store and use such Personal Data only as necessary to fulfil the purposes as informed to the data subject or as specified by law. The Company will not do anything that than specified in the purposes of the collection of Personal Data unless:(1) The data subject has been informed of such a new purpose, and the consent is obtained from the data subject;
(2) It is to comply with Personal Data Protection Act or the relevant
4. Disclosure of Personal data
The Company will disclose data subject's Personal Data to another person as permitted by the laws or as consented by the data subject and accordingly to the purpose that has been informed. However, for the benefits of the Company's operation and providing service to the data subject, the Company may have to disclose data subject's Personal Data to affiliated companies or other persons, located in Thailand or a foreign country, such as service providers involving in Personal Data. In disclosing Personal Data to such persons, the Company will ensure that those persons maintain the confidentiality of the Personal Data and will not use Personal Data for the purpose other than the Company specifies.
Furthermore, the Company may disclose data subject's Personal Data as required by law, such as, disclosure to government agencies, government entities, or regulators, including in the event when there is a disclosure request authorized by law, e.g. a request on data disclosure for litigation or prosecution or a request from the private organization or any third party relating to a legal proceeding, when permitted by laws and/or the Company has a duty in accordance with the law to disclose such Personal Data.
5. Cross-border Transfer of Personal Data
The Company may disclose and/or transfer your Personal Data to persons or organizations located in foreign countries, such as sending data to the affiliated companies, or the data storage unit located outside of Thailand.
In some cases, destination countries to which your Personal Data are sent or transferred may not have the equivalent level of personal data protection standards as Thailand. In such cases, the Company will follow the procedures and implement measures to ensure adequate protection of Personal Data sent or transferred, and that the person or organization receiving Personal Data has appropriate Personal Data protection standards, which may include the use of the Personal Data Protection Policy for sending or transferring Personal Data to the data controller or data processor who is in a foreign country, and is in the same affiliated business, or in the same group of undertakings in order to jointly operate the business or group undertakings, or the transfer complies with legal requirements, with your consent, or fall under exceptions as required by law.
6. Personal Data Storage and Retention Period
The Company may store your Personal Data in hard copies and electronic formats. The Company will store your Personal Data only as necessary to fulfil the purposes of the collection, use, and disclosure of Personal Data, including the storing such Personal Data for the retention period where the Company has the right or is able to rely on a legal basis to collect, use, and/or disclose such Personal data, or specified period by law, or permitted by laws.
7. Personal Data Protection Measures
The Company will impose measures including Personal Data security measures in accordance with the laws, regulations, rules, and guidelines on Personal Data protection on Company's employees and other relevant persons. This includes supporting and promoting employees' knowledge and awareness of duties and responsibilities with respect to collecting, using, and disclosing Personal Data of the data subject. Employees must comply with the Company's Personal Data Protection Policy and Statement so that the Company can lawfully and effectively act accordingly to the Personal Data protection laws and policy.
8. Rights of Data Subject
The data subject has the following rights:
(8.1) The right to withdraw consent for the collection, use, and/or disclose of your Personal Data. This withdrawal of consent will not affect the collection, use, or disclosure of your Personal Data to which consent has previously been given.
(8.2) The right to access, and obtain a copy of your Personal Data including the right to request the disclosure of acquisition of your Personal Data obtained without consent.
(8.3) The right to rectify your Personal Data.
(8.4) The right to delete your Personal Data.
(8.5) The right to restrict the use of your Personal Data.
(8.6) The right to port your Personal Data.
(8.7) The right to object to the processing of your Personal Data.
(8.8) The right to lodge a complaint to the Personal Data Protection Committee.
To exercise the rights indicated above, the data subject can submit a written or electronic request form as prescribed by the "Contact Information" below. The Company will consider the request and notify the data subject of the result within 30 days from the date the request is received. The Company may reject a request from the data subject if permitted by laws.
9. Revision and Changes of Policy
The Company may update or amend this policy from time to time to ensure conformity with legal provisions, changes in the Company's operation, and other agencies' feedback and suggestions. The Company will clearly inform you of any changes before the revision or amendment.
10. Contact Information
Governance, Compliance, and Internal Control Department
PTT Exploration and Production Public Company Limited
555/1 Energy Complex Building A, 6th Floor & 19th - 36th Floor, Vibhavadi-Rangsit Road, Chatuchak, Chatuchak, Bangkok 10900 Thailand
Phone : 66 (0) 2537-4000 Fax : 66 (0) 2537-4444
Email : Complianceteam@pttep.com
Policy No. 12157-PCY-002-R01
Effective date: 1 June 2022