Privacy Notice for Members of the Registered Provident Fund for Executives of the Siam Cement Public Limited Company and the Registered Provident Fund of Cementhai Group

The registered provident fund for executives of the Siam Cement Public Limited Company and the registered provident fund of Cementhai Group (collectively referred to as “we”) respect the right to privacy of our members (collectively, “you”). To ensure that your personal data is protected, we have created this Privacy Notice to inform the details regarding the collection, use, disclosure, deletion, and destruction (collectively, “processing” and “process”) of your personal data, both online and other channels, in accordance with the personal data protection law.

1. Objectives of Our Processing of Your Personal Data

1.1 We process your personal data because it is necessary for the performance of the contracts between you and us. We use your personal data in this regard to, for example, to create membership registers, to identify your identity, to verify information received from you, create your user account, to authenticate your identity before logging into our systems, to comply with our rules, and to track and inform you of returns of assets under our management;

1.2 We process your personal data to because it is necessary for compliance with a legal obligation to which we are subject e.g. Laws concerning Provident funds including regulations, announcements, and orders of competent authorities;

1.3 We process your personal data to because it is necessary for the purposes of the legitimate interests pursued by us or by a third party such as to manage the funds, to organize our activities, to manage finance and budgets, to contact internally and externally, to comply with registration requirements, to execute powers of attorney, to create public documents and reports, to submit information to computing authorities and governing bodies, to access to information technology systems, and to audit and investigate complaints, allegations, lawsuits, and disputes;

1.4 We process your personal data because it is necessary in order to protect vital interests of you or of another person, for instance, to make contact in case of emergency and to control and prevent diseases;

1.5 We process your personal data to because it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us; and

1.6 We process you our personal data in accordance with consent obtained from you.

2. Personal Data We Collect

2.1 Data concerning membership registers such as name, surname, date of birth, age, duration of employment, remuneration, and other information relating to your employment which is necessary for your membership status;

2.2 Contact information such as address, telephone number, email address;

2.3 Information concerning management of your investment such as values of your investment and your investment policies;

2.4 Information concerning beneficiaries such as names, surnames, relationships, telephone numbers (you must inform your individual beneficiaries of this privacy notice before disclosing their information to us);

2.5 Information we are required to disclose to computer authorities such as the Securities and Exchange Commission;

2.6 Financial information such as bank account numbers, tax information;

2.7 Information concerning use an access to information technology system, computers, applications, websites, infrastructure, electronic devices, and email systems to comply with our information technology policies and relevant laws;

2.8 Information you choose to share and disclose through our systems, applications, tools, questionnaires, assessments, and other documents;

2.9 Information collected when you participate in our activities such as information on meeting attendance, participation in our activities, responses to our surveys, and photographs and videos;

2.10 Identification documents such as citizen card, passport, and other documents issued by competent authorities; and

2.11 Other information necessary to the performance of contracts and compliance with our rules (please note that we may not be able to perform our contractual obligations and provide you with certain services if you refuse to give this information to us).

3. Special Category Data

3.1 We may have to collect and process your special category data to achieve the objectives indicated in this Privacy Notice.

3.2 We may have to process biometric data which is special category data such as fingerprints, and facial images to verify and authenticate your identity, prevent possible crimes, and protect legitimate interests of us or other persons.

3.3 Where necessary, we will process your special categories personal data only when you give us explicit consent or for other purposes as required by law. We will ensure that we will try our best to provide adequate security measures to protect your special categories personal data.

4. Cookies and Other Similar Technologies

We use cookies and similar technology to collect personal data as specified in our Cookies Notice.

5. Consent, Withdrawal of Consent, and Consequences

5.1 You are entitled to withdraw your consent at any time but such withdrawal will not affect the validity of the processing made prior to the withdrawal of consent.

5.2 Your withdrawal of consent or refusal to provide certain information may result in us being unable to fulfill some or all of the objectives stated in this Privacy Notice.

6. Retention Period

6.1 We retain your personal data for the period necessary to meet the objectives unless the law requires longer retention periods. In the event that such period is unclear, we will retain the data for a customary expected period in accordance with retention standards (e.g. ten years according to the statute of limitations).

6.2 We retain your personal data as long as you are our member to perform our contractual obligations and comply with our rules and as long as necessary but in any case your personal data will not be kept for more than 10 years after your membership is ended.

6.3 We retain personal data of individual beneficiaries as long as necessary to achieve the objectives indicated in this Privacy Notice.

6.4 If your personal data is processed based on consent, we will stop the processing when you have withdrawn the consent. However, we may keep your personal data to record your withdrawn so we can respond to your request in the future.

6.5 We have established an auditing system to delete or destroy your personal data when the retention period expires or when it becomes irrelevant or unnecessary for the purposes of collecting that personal data.

7. Disclosure of Your Personal Data

7.1 We disclose and share your personal data with:

(1) Companies in SCG (“affiliates”) whose names are listed out in the Schedule and

(2) Individuals and entities which are not our affiliates (“third parties”) for the purpose of collecting and processing personal information as described in this Privacy Notice such as our dealers, transport and logistics service providers, postal service providers, data processing service providers, marketing service providers (who might send messages to you to promote our products and services), contractors (who might perform tasks on our behalf), financial service providers (such as banks, payment companies, electronic payment service providers, credit providers), IT service providers (such as providers of cloud services, blockchain systems, data analytics, SMS, or emails), IT developers, programmers, auditors, consultants, advisors, government agencies (e.g. the Revenue Department, the Anti-Money Laundering Office), insurers, and other persons to the extent necessary to enable us to conduct business, provide products and services, and meet the purposes for the collection and processing of personal data as described in this Privacy Notice.

7.2 We will require persons receiving your personal data to take appropriate measures to protect your personal data, process the data properly and only as necessary, and prevent unauthorized use or disclosure of your personal data.

8. Security Measures

8.1 We have implemented appropriate technical and administrative standards to protect your personal data from loss, misuse, and unauthorized access use, disclose, or destruction. We use technology and security procedures such as encryption and access restriction to ensure that only authorized people shall have access to your personal data, and that they are trained about the importance of protecting personal data.

8.2 We provide appropriate security measures to prevent the loss, access, use, change, disclosure of personal data from those who do not have rights or duties related to that personal data. We will review the above-mentioned measures when necessary or when the technology changes to ensure effective security.

9. Your Rights as a Data Subject

9.1 You have the rights under the personal data protection law summarized as follows:

(1) Withdraw the consent you have given to us;

(2) Request to view and copy your personal data or disclose the source where we obtain your personal data;

(3) Send or transfer personal data that is in an electronic form as required by personal data protection laws to other data controllers;

(4) Oppose the collection, use, or disclosure of personal information about you

(5) Delete or destroy or make your personal data non-personally identifiable (anonymous) information;

(6) Suspend the use of your personal data;

(7) Correct your personal information to be current, complete, and not cause misunderstanding.

(8) Complain to the Personal Data Protection Committee in the event that we, our data processors, our employees, or our contractors violate or do not comply with personal data protection laws.

In this regard, we will consider your request, notify the result of the consideration, and execute it (if appropriate) within 30 days from the date we receive the request. Your rights mentioned above will be in accordance with the personal data protection law.

9.2 You can exercise your legal rights using e-hr if you are a current employee of SCG or click here if you are not a current employee of SCG.

10. Information about Data Controller and Data Protection Officer

10.1 The registered provident fund for executives of the Siam Cement Public Limited Company located at 1 Siam Cement Road, Bangsue, Bangkok, Thailand. Telephone number 0-2586-3333 Email address: data.privacy@scg.com

10.2 The registered provident fund of Cementhai Group located at 1 Siam Cement Road, Bangsue, Bangkok, Thailand. Telephone number 0-2586-3333 Email address: data.privacy@scg.com

In the event that this Privacy Notice is amended, we will announce a new version on our website or application, which we recommend you to periodically review from time to time. The new Privacy Notice will be effective immediately on the date of announcement.