Privacy Policy

“Personal Data” refers to any information relating to you that enables your identification, whether directly or indirectly, excluding the information of deceased persons. The Company may collect various categories of personal data, including:

• Personal Identification Information: such as title, first name, last name, gender, age, date of birth, nationality, marital status, photographs, video recordings, CCTV footage, educational background, and information regarding the company you work for, are employed by, or hold shares in. This also includes copies of identification cards, passports, and house registration; financial status; information from government documents; vehicle information; signatures (including electronic signatures); bank account and payment details; and other identification documents.

• Contact Information: such as telephone number, mobile number, fax number, physical address, email address, Line ID, and other similar contact details.

• Other Information: related to the relationship between the Company and its business partners, such as information provided in contracts, forms, surveys, or other documents; transaction history with the Company; and computer log data.

• Personal Data of Third Parties Related to You: such as identification of your spouse or children, information about Company employees related to you, and any other data concerning individuals that you provide to the Company in any form. By providing third-party information, you represent and warrant that you have the authority to do so and permit the Company to use such data in accordance with this Privacy Policy. Furthermore, you are responsible for informing these individuals of this Privacy Policy and/or obtaining their necessary consent.

• Sensitive Personal Data: such as race as appeared in identification documents, religion as specified on national ID cards, labor union information, and biometric data (e.g., fingerprints, facial recognition, or iris recognition). It also includes health data, physical or mental conditions, criminal records, or any other data of a similar nature as prescribed by the Personal Data Protection Committee.

2.1 Directly from you: through the signing of contracts or the completion of forms; such as when you engage in business or transactions with the Company, or through interactions with the Company. This includes interactions via the Company’s online platforms, website, or mobile applications, as well as communications through email, telephone, surveys, business cards, postal mail, meetings, and various corporate activities.

2.2 From business partners: for whom you work, act on behalf of, or serve as an authorized representative.

2.3 From group companies, shareholders, or third parties: such as other business partners or representatives.

2.4 From electronic files and sources.

          The Company shall collect, use, and/or disclose your personal data based on the nature of your relationship with the Company, for the purposes of our legitimate interests, contractual obligations, or other lawful bases. All processing of personal data shall be conducted in strict accordance with the Personal Data Protection Act (PDPA), relevant Ministerial Regulations, Notifications, and other applicable laws.

          The Company shall not disclose your personal data to any third party, except for purposes essential to the Company’s business operations and provided that such disclosure does not violate the law. This may include sharing information with shareholders, other business partners, or third-party service providers engaged by the Company—such as cloud service providers, data analytics providers, and professional consultants (including lawyers, specialized technicians, and business support providers)—or for the purpose of exercising the Company’s legal rights.

          In certain instances, the Company may be required to disclose your personal data to comply with laws or regulations. This includes disclosure to law enforcement agencies, courts, government authorities, or other third parties, if the Company believes such disclosure is necessary to fulfill legal or regulatory obligations. It may also be necessary to protect the Company’s rights, the rights of third parties, or individual safety; or to detect, prevent, or resolve issues related to fraud, security, or safety. Furthermore, in the event of a transfer of rights or similar transactions, whether in whole or in part, the Company may disclose your personal data to the Company’s assignees and/or successors. In an emergency, your personal data may also be disclosed to protect your vital interests.

     5.1 The Company may send or transfer your personal data to affiliated companies or other third parties abroad where necessary for the performance of a contract to which you are a party, or for the fulfillment of a contract between the Company and another individual or entity for your benefit. This also applies to actions taken at your request prior to entering into a contract, or where necessary to prevent or suppress a danger to your life, body, or health, or that of another person. Furthermore, such transfers may be conducted to comply with the law or as necessary for the performance of tasks for significant public interest.

     5.2 The Company may store your information on computer servers or cloud systems provided by third parties and may utilize third-party programs or applications in the form of Software as a Service (SaaS) or Platform as a Service (PaaS) to process your personal data. However, the Company shall not permit unauthorized persons to access your personal data and will require such third parties to implement appropriate security measures.

     5.3 In the event that your personal data is transferred abroad, we will comply with personal data protection laws and implement appropriate measures to ensure that your personal data is protected and that you can exercise your legal rights regarding your data. This includes requiring recipients to have adequate data protection measures in place, process data only as necessary, and take steps to prevent unauthorized use or disclosure of your personal data.

          The Company shall retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, disclosed, and used, unless such data collection falls under the exemptions prescribed by the Personal Data Protection Act B.E. 2562 (2019) or other applicable laws. Furthermore, the Company may be required to retain your personal data for a period exceeding that mandated by law, should it be necessary for legal or operational requirements.

Subject to the conditions prescribed by law, your rights are as follows:

7.1 Right of Access: The right to access and request a copy of your personal data, or to request the disclosure of how your personal data was obtained without your consent.

7.2 Right to Rectification: The right to request that your personal data be corrected, updated, completed, and not misleading.

7.3 Right to Erasure or Destruction: The right to request the deletion or destruction of your personal data, or to render it unidentifiable to the data subject.

7.4 Right to Data Portability: The right to receive your personal data in a format that is generally readable or usable by automatic tools or devices, and to send or transfer such data to another organization, provided that the personal data:

(a) Was provided by you to the Company; and

(b) Is processed based on your consent for collection, use, or disclosure, or for the performance of a contract between the Company and you.

7.5 Right to Object or Restrict Processing: The right to object to the Company’s collection, use, or disclosure of your personal data, or to request the restriction of its use.

7.6 Right to Withdraw Consent: The right to withdraw your consent for the collection, use, or disclosure of your personal data—where such processing is based on consent—at any time.

7.7 Right to Lodge a Complaint: The right to file a complaint with the competent authorities if you believe that the collection, use, or disclosure of your personal data is unlawful or inconsistent with applicable data protection laws.

          Should you wish to exercise any of the aforementioned rights, please contact the Company via the “Company Contact Information” provided below. The Company will consider your request and notify you of the outcome within 30 days from the date of receipt. Please note that the Company may decline your request as permitted by law. However, the exercise of your rights shall not affect the collection, use, or disclosure of personal data previously provided to the Company. In the event that any damages arise from such data, you shall be solely and entirely responsible.

          The Company has implemented appropriate personal data security measures, encompassing administrative, technical, and physical safeguards regarding access and access control. These measures are designed to prevent the loss, unauthorized access, use, alteration, modification, or disclosure of personal data.

          Furthermore, the Company has established control measures and access restrictions for personal data, as well as for the secure use of data storage and processing equipment. We have defined specific rights and responsibilities for authorized users and restricted the access of others to prevent unauthorized access, disclosure, exposure, illicit copying, or theft of data storage and processing devices. Additionally, the Company maintains measures for regular auditing of the access, alteration, erasure, or transfer of personal data.

          In the event of a personal data breach or suspected data leakage, the Company has established management procedures to ensure security and mitigate impact on data subjects as follows:

          Upon detection or notification of a personal data breach, the Company will immediately conduct an initial investigation and assessment to identify the categories of affected data and the scope of the breach.

(a) In cases of no risk: If the Company assesses that the breach poses no risk to the rights and freedoms of individuals, the Company will document the details of the incident and the relevant measures taken in writing. This record will serve as evidence and reference for future audits by the Company or regulatory authorities.

(b) In cases of risk: The Company will notify the Office of the Personal Data Protection Commission (PDPC) of the breach without undue delay, and where feasible, within 72 hours of becoming aware of the incident.

(c) In cases of high risk: If the breach poses a high risk to the rights and freedoms of data subjects, the Company will notify the Office of the Personal Data Protection Commission (PDPC) within 72 hours. Additionally, the Company will notify the affected data subjects of the breach and provide remedial measures as soon as possible.

          Any individual who observes or believes that a violation of this Privacy Policy and its Guidelines has occurred may report the incident or lodge a complaint. The procedures for such reporting shall be conducted in accordance with the Company’s Whistleblowing Policy and Guidelines. The Company guarantees that whistleblowers or complainants will be protected and all information provided will be kept strictly confidential. Furthermore, such reporting will have no adverse effect on the individual’s employment status, both during the investigation and after the process has been concluded.

          The Company may amend or revise this Privacy Policy from time to time to ensure compliance with changes in legislation, technological advancements, or any other necessary and appropriate reasons. The Company will publish the revised Privacy Policy on its website at: https://nep.co.th/th/corporate-governance-th/privacy-policy-th/ prior to such changes becoming effective.

          The Company operates in full compliance with the Personal Data Protection Act B.E. 2562 (2019) (PDPA) and has appointed a Data Protection Officer (DPO) to oversee and monitor the Company’s operations concerning the collection, use, and disclosure of personal data. The DPO ensures that all such activities are strictly aligned with the PDPA and other relevant data protection laws and regulations.

          If you have any questions or require further details regarding the protection of your personal data, please contact the Company through the following channels:

• • Entity: NEP Realty and Industry Public Company Limited

                             Head Office:                  41 Soi Phaholyothin 5, Phaholyothin Road

                                                                  Phaya Thai District, Bangkok 10400, Thailand

                             Nakhon Ratchasima Office:        Navanakorn Industrial Estate (Nakhon Ratchasima)

                                                                999/5 Moo 1, Mittraphap Road, Na Klang Sub-district

                                                                  Sung Noen District, Nakhon Ratchasima 30380, Thailand.

• • Data Protection Officer (DPO): > Privacy Center: 044-335520 ext. 117, 312, 127

                                                                   Email : [email protected]