Personal Data Protection Notice for External Parties

This Personal Data Protection Notice for External Parties (the "Notice") is prepared to inform and make the data subjects understand about the purposes and methods of the collection, use, disclosure, and/or cross-border transfer of Personal Data, as well as the rights of the data subject, as detailed below.

Definitions

"Company" means PTT Exploration and Production Public Company Limited or PTTEP and PTTEP subsidiaries.

"Personal Data" means any information relating to a person, which enables the identification of such person, whether directly or indirectly, but not including information of deceased persons in particular.

"Sensitive Personal Data" means any Personal Data relating to a truly personal matter of a person, which is sensitive and potentially risks being used in a discriminatory or unfair manner, and is classified as sensitive personal data under Section 26 of the Personal Data Protection Act B.E. 2562 (2019), and as to be prescribed by the Personal Data Protection Commission.

"Data Processing" refers to the collection, use, or disclosure of Personal Data.

"Data Subject" means a natural person which can be identified with the Personal Data. However, it is not the case that a person has data ownership, nor creates or collects the data themselves.

Scope of Application

This Notice applies to Personal Data of the following external parties that the Company may collect, use, disclose, and/or cross-border transfer Personal Data.

1. The Company's clients – this includes only the Personal Data of employees, personnel, officers, representatives, agents, any person authorized to act on behalf of the juristic persons, directors, and other natural persons acting on behalf of the Company's corporate clients;
2. Vendors or business partners, outsourced service providers, and contracting parties – this includes only the Personal Data of:
   1. 2.1 natural persons who were, are, or may in the future be the Company's vendors or business partners, outsourced service providers, or contracting parties; and
   2. 2.2 employees, personnel, officers, representatives, agents, any persons authorized to act on behalf of the juristic persons, directors, and other natural persons acting on behalf of the vendor or business partner, outsourced service providers, and the Company's corporate contracting parties.
3. Partners, business alliances, and PTT group companies – this includes only the Personal Data of employees, personnel, officers, representatives, agents, any persons authorized to act on behalf of the juristic persons, directors, and other natural persons acting on behalf of the partners, business alliances, and PTT group companies;
4. Visitors and any external parties entering the Company's premises, and visitors to, the Company's websites or applications;
5. Stakeholders, which include the Company's former employees, directors and former directors, shareholders, investors, analysts, members of the mass media, community leaders, and participants in the Company's Corporate Social Responsibility activities and other activities;
6. Applicants for job or internship, and other persons to whom these persons refer, or whose information is provided for the Company; and
7. Other external parties, such as regulators, official authorities, and government agencies, including persons who are former regulators, official authorities, and government agencies.

The details on Data Processing of each of these groups of persons are provided under each relevant section.

Cross-border Transfers of Personal Data

The Company may send and/or transfer your Personal Data to persons or organizations located in foreign countries, by relying on the legal basis or data subject’s consent. In cases where the country may not have Personal Data protection standards equivalent to those of Thailand, the Company will implement appropriate measures to ensure adequate protection of Personal Data sent or transferred. The Company will also ensure that the recipients have appropriate Personal Data protection standards, which may include the use of the Personal Data Protection Policy for sending or transferring Personal Data to the data controller or data processor who is in a foreign country, and is in the same affiliated business, or in the same group of undertakings in order to jointly operate the business or group undertakings (Binding Corporate Rules)

Security Measures

The Company implements appropriate security measures for collection, use, or disclosure of Personal Data which include technical, administrative, and physical measures covering components of related information systems based on the compliance with security measures stipulated by Personal Data laws to maintain confidentiality, integrity, and availability of Personal Data.

Personal Data Storage and Retention Period

The Company stores your Personal Data as described below.

1. The Company stores your Personal Data in paper format and electronic formats within the Company storage, including on shared drives, cloud systems administered by the Company's outsourced service providers, and the Company's document storage cabinet and rooms, including in the data warehouse that the Company uses the service of, with access right restriction. The Personal Data retention period is also clearly specified.
2. The Company will store y our Personal Data only as necessary to fulfil the purposes as specified in this Notice or to comply with a law or as permitted by a law, unless the Company still has the right, or may rely on a legal basis to process your Personal Data, or it is required or permitted by laws for the Company to keep the Personal Data for longer.
3. After the retention period ends, or if it is no longer necessary for the Company to retain your Personal Data, the Company delete/destroy or anonymize such Personal Data within 90 days after the expiration of that period.

Rights of the Data Subject

The data subject have the following rights.

1. The right to withdraw consent for the collection, use, and/or disclosure of your Personal Data to which consent is given. This withdrawal of consent will not affect the collection, use, or disclosure of Personal Data to which consent has previously been given.
2. The right to access and obtain a copy of your Personal Data, and the right to request the disclosure of acquisition of your Personal Data obtained without consent, to the extent permitted by laws.
3. The right to rectify of your Personal Data
4. The right to delete or anonymize of your Personal Data, in some cases, as permitted by laws.
5. The right to restrict the use of your Personal Data, in some cases, as permitted by laws.
6. The right to port your Personal Data, in some cases, as permitted by laws.
7. The right to object to the collection, use, and/or disclosure of your Personal Data, in some cases, as permitted by laws.
8. The right to lodge a complaint with the Personal Data Protection Committee.

A Data Subject may exercise the aforementioned rights by submitting a written request or email to the Company using the request form as provided by the Company (CLICK). The details how the rights can be exercised and contact channels are available in the "Personal Data Protection Policy" announced on the Company's website, https://www.pttep.com.

The Company will consider the request and notify the data subject of the outcome within 30 days from the date the request is received.

Revision and Amendments to the Personal Data Protection Notice

The Company may update this Notice every 3 years or whenever there are significant changes to the PDPA laws. The Company will clearly notify any such changes.

Contact Channel of the Company

Corporate Governance and Subsidiary Management Department
PTT Exploration and Production Public Company Limited
555/1 Energy Complex Building A, 19th - 36th Floors, Vibhavadi-Rangsit Road
Chatuchak Subdistrict, Chatuchak District, Bangkok 10900
Telephone: 66 (0) 2537-4000
Email: Complianceteam@pttep.com

Effective date: 1 December 2025

Related Documents