Personal Data Protection Policy
of
Mitsubishi Electric Kang Yong Watana Co., Ltd.


   Mitsubishi Electric Kang Yong Watana Co., Ltd. ("the company") give precedence to Personal Data and the protection of Personal Data that occurs during the company's business operations. In order to protect the security of Personal Data received, the company has therefore established this Personal Data Protection Policy for managing Personal Data of the company which includes the collection, use, disclosure and other rights as well as to be informed everyone, the company therefore would like to announce the Personal Data protection policy (“the policy”) as follows:

1. Definition in the protection of Personal Data
   1.1 “Personal Data” means any information relating to a person, which enables the identification of such person, whether directly or indirectly, for example, name, surname, identification number, address, email address, telephone number, etc.
   1.2 “Data Controller” means a person or a juristic person having the power and duties to make decisions regarding the collection, use, or disclosure of the Personal Data
   1.3 “Data Processor” means a person or a juristic person who operates in relation to the collection, use, or disclosure of the Personal Data pursuant to the orders given by or on behalf of a Data Controller, whereby such person or juristic person is not the Data Controller

2. Scope of protection of Personal Data
The protection of Personal Data in accordance with this policy shall apply to the collection, use, disclosure, amendment or any actions to Personal Data by the company appoint the Corporate Compliance Office (“CCO”) to strictly examine the compliance with this policy.

3. Restriction of collection of Personal Data
   3.1 The company may collect Personal Data as the Data Controller and the collection of Personal Data will be used for the purpose, scope and method that are lawful and fair, including the restriction of collecting of Personal Data storage as necessary to conduct the business or provide the services.
   3.2 The company shall implement strictly security measures as well as prevent the Personal Data from being used without permission from the data subject. In this regard, the company will inform the data subject to acknowledge and give a consent in accordance with the company's procedure prior collecting, unless
      3.2.1 It is necessary for compliance with a law to which the Data Controller is subjected;
      3.2.2 It is for preventing or suppressing a danger to a person’s life, body or health;
      3.2.3 It is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract;
      3.2.4 It is necessary for the performance of a task carried out in the public interest by the Data Controller, or it is necessary for the exercising of official authority vested in the Data Controller;
      3.2.5 It is necessary for legitimate interests of the Data Controller or any other persons or juristic persons other than the Data Controller, except where such interests are overridden by the fundamental rights of the data subject of his or her Personal Data;
      3.2.6 It is for the achievement of the purpose relating to the preparation of the historical documents or the archives for public interest, or for the purpose relating to research or statistics, in which the suitable measures to safeguard the data subject's rights and freedoms.
   3.3 The company may outsource, third party services (Data Processor), to carry out activities related to business operations and provide services, such as contacting or providing after-sales services, marketing research, and organizing promotional activities, etc. The Data Processor must have security measures and prohibit to collection, use or disclose Personal Data other than those specified by the company.

4. Purpose of Collection, Use and Disclosure of Personal Data
The company may collect, use and disclose Personal Data for the purpose of conducting business and providing services such as after sales service, market research and sales promotion activities, or for the purpose of analyze and present any company products and / or the person who is the distributor or related to the company as well as for other purposes that are not against the law and / or to comply with laws or regulations applicable to the company both now and in the future, including allowing the company to send, transfer and / or disclose Personal Data to companies in the business group, business partner, Data Processor that entered into the agreement or contract with the company. The company shall only preserve such Personal Data as long as is necessary for those purposes. If there is any change in the purpose of collection, storage, use and disclosure of personal information, the company must announce later.

5. Rights of the data subject
   5.1 Withdraw the consent to collect, use or disclose your Personal Data unless there is a restriction of the withdrawal of consent by law, or the contract which gives benefits to the data subject However, the withdrawal of consent shall not affect the collection, use, or disclosure of personal data that the data subject has already given consent legally. Moreover, the withdrawal of consent may prevent the company from fulfilling the contract or provide service or after sales service
   5.2 Request access to and obtain copy of the Personal Data related to him or her, which is under the responsibility of the company and according to the rules and procedures specified by the company, or to request the disclosure of the acquisition of the Personal Data obtained. However, the request can be rejected where it is permitted by law or pursuant to a court order, and such access and obtaining a copy of the Personal Data would adversely affect the rights and freedoms of others.
   5.3 Request the company to send or transfer your Personal Data to you or the other Data Controllers (If the said Personal Data is in a form that can do so)
   5.4 Object the collection, use, or disclosure of your Personal Data as specified in the Personal Data Protection Act, B.E. 2562 (2019) such as, where the Personal Data is collected with the exemption to consent from you or the collection, use, or disclosure of such Personal Data is for the purpose of direct marketing or statistic research.
   5.5 Request the company to amend or change your Personal Data that is not accurate or not complete and make your information up to date
   5.6 Request the company to restrict the use of your Personal Data according to specified in the Personal Data Protection Act, B.E. 2562 (2019)
   5.7 Request the company to erase or destroy the Personal Data, or anonymize the Personal Data to become the anonymous data which cannot identify the data subject according to specified in the Personal Data Protection Act, B.E. 2562 (2019) such as, the Personal Data is no longer necessary in relation to the purposes for which it was collected, used or disclosed or the data subject withdraws consent on which the collection, use, or disclosure is based on, and where the Data Controller has no legal ground for such collection, use, or disclosure. However, erasing or destroying Personal Data may prevent the company from providing accurate and complete after sales service to you.
   5.8 File a complaint in the event that the company or the Data Processor, including the employees or the service providers of the company or the Data Processor violates or does not comply with the Personal Data Protection Act, B.E. 2562 (2019).
   5.9 The data subject acknowledge that the Company may refuse to exercise your rights as the data subject as specified in clause 5.1-5.8 if the Company has a legitimate reason for denying the use of such rights.

6. Security Measures to protect the Personal Data
The company is aware of the importance of the security of your Personal Data. Hence, the company therefore has established appropriate security measures to protect the Personal Data and accordance with the confidentiality of Personal Data in order to prevent the unauthorized or unlawful loss, access to, use, alteration, correction or disclosure of Personal Data, and such measures must be reviewed when it is necessary, or when the technology has changed in order to efficiently maintain the appropriate security and safety. It shall also be in accordance with the Regulation on Information Security Management, the Regulation on Internet Website Management and the Regulation on Protection of Computer related Crime of the company.

7. Notification of any Personal Data breach
The company shall notify the Office of the Personal Data Protection Committee of any Personal Data breach without delay and, where feasible, within 72 hours after having become aware of it, unless such Personal Data breach is unlikely to result in a risk to the rights and freedoms of the persons. If the Personal Data breach is likely to result in a high risk to the rights and freedoms of the persons, the company shall also notify the Personal Data breach and the remedial measures to the data subject without delay.

8. Review of the Personal Data Protection Policy
The company may review and up to date or amend the Personal Data Protection Policy in order to the appropriateness and efficiency of business operations and services. In which the company will inform via the website of the company. Hence, the company therefore recommends you periodically review this policy for the latest policy of the company.

9. Contact the company
Should you have any further questions about your Personal Data or wish to exercise the rights regarding your Personal Data, please contact the company according to the following details:
   Corporate Compliance Office Mitsubishi Electric Kang Yong Watana Co., Ltd.
   No. 28 Krungthep Kreetha Road, Hua Mak Sub-district, Bang Kapi District, Bangkok 10240
   Phone 02-763-7000
   Website: https://www.mitsubishi-kyw.co.th