Announcement of Personal Data Protection Policy

The Architects & Turnkey Co., Ltd. (“the Company”) recognizes the importance of protecting personal data and maintains appropriate security measures in accordance with international standards. Accordingly, the Company has prepared and published this Personal Data Protection Policy (“the Policy”) for all related parties to acknowledge. This Policy applies to executives, employees, and all external personnel working for the Company. Department heads are responsible for supporting, promoting, and monitoring compliance with the Policy and all applicable personal data protection laws as follows:

1. 1. Collection of personal data shall be limited strictly to what is necessary and only for the intended purposes.
   2. Data quality: All collected personal data must be accurate and appropriate. The Company will implement suitable security measures and risk-management processes.
   3. Purpose & legal basis: Collection, use, or disclosure of personal data must be based on a lawful basis and limited to the specified purposes. Personal data will not be disclosed to third parties except in the following cases:
      1. Vital interest (to protect life, health, or safety)
      2. Contract (performance of a contract between the parties)
      3. Official authority (to comply with a legal obligation or court order)
      4. Legitimate interest
      5. Legal obligation
      6. Research or statistical purposes
      7. Consent of the data subject
   4. The Company shall publicize and disseminate this Policy and related practices on its website and otherwise comply with legal requirements—such as supporting data-subject rights, defining responsibilities for Data Controllers and Data Processors, and appointing a Data Protection Officer (DPO).
   5. All personnel must remain vigilant and responsible for protecting personal data as if it were their own.

• This Policy also aims to inform all stakeholders of the details regarding the collection, use, disclosure, and cross-border transfer of personal data, and the security measures in place to comply with Thailand’s Personal Data Protection Act B.E. 2562 (“PDPA”), related laws, and international standards. The Company strives to limit data collection and processing strictly to what is necessary for the stated purposes to deliver services to data subjects.

1. 1. Scope of Application

This Policy applies to all personal data that the Company may collect, use, disclose, or transfer abroad concerning the following groups:

1. 1. 1. ) Construction-business customers and other clients, including:
         • a) Individuals who are current, past, or prospective customers
         • b) Employees, representatives, authorized signatories, directors’ contacts, and other natural persons acting on behalf of corporate clients
      2. ) Business partners and contractors, including:
         • a) Individuals who are current, past, or prospective partners or contractors
         • b) Employees, representatives, authorized signatories, directors’ contacts, and other natural persons acting on behalf of corporate partners
      3. ) Shareholders, investors, and any persons interested in investing in the Company
      4. ) Visitors and external individuals entering Company premises for security purposes
      5. ) Stakeholders or persons from whom the Company collects data for social activities or other purposes
      6. ) Personnel, employees, and job applicants, including family members and referees

This Policy covers all channels through which personal data may be received or collected—such as business-unit contact points, electronic systems, websites, complaint or feedback channels, online communication tools, mobile apps, events, public areas or communities managed by the Company, and other related activities.

It describes the types of personal data collected, sources, purposes of collection/use/disclosure/transfer, recipients of disclosures or transfers, retention periods, data-subject rights under the PDPA, and the security measures in place.

1. 2. Definitions

“Personal Data” means any information relating to a natural person that can identify that person, directly or indirectly (e.g., name, address, ID number, email, phone, IP address, cookie ID, health or financial data, etc.).

The following are not personal data: business-contact information that does not identify an individual (e.g., company name, company address, corporate registration number, work phone, work email), anonymous data, pseudonymized data, or data of deceased persons.

“Sensitive Personal Data” means data deemed sensitive under the PDPA—such as race, ethnicity, political opinions, religious beliefs, sexual behavior, criminal history, health information, biometric data—which the Company may only process with the data subject’s consent.

“Data Processor” means any operation performed on personal data (collection, storage, use, disclosure, deletion, etc.).

“Data Subject” means a natural person to whom the personal data relates.

3. Cookies and Use of Cookies

When you visit the Company’s website, cookies may be placed on your device and certain data collected automatically. Some cookies are necessary for proper site functionality, while others enhance your browsing experience. Please see our Cookie Policy for details.

4. Policy Updates

The Company may review and amend this Policy from time to time to align with best practices, laws, and regulations. Any updated version will be published on the Company’s website and other communication channels.

5. Data Retention, Duration & Security Measures

The Company will retain personal data only as long as necessary to fulfill the purposes stated in this Policy—considering contract terms, legal limitation periods, audit requirements, and potential legal claims.

The Company implements appropriate physical, technical, and organizational safeguards aligned with international standards to prevent loss, unauthorized access, alteration, or disclosure of personal data.

Access to personal data is restricted and protected by security technologies. When disclosing data to external processors, the Company ensures they comply with its instructions and relevant laws.

6. Data Subject Rights

Consent remains valid until withdrawn in writing. Data subjects may withdraw consent or request suspension of processing by submitting a written or electronic request.

Under the PDPA, data subjects have the following rights:

• Right of Access: to request access to and copies of their data.
• Right to Data Portability: to receive data in a structured electronic format and request its transfer.
• Right to Rectification: to correct or complete inaccurate or incomplete data.
• Right to Object, Erasure & Restriction: to object to processing, request deletion/anonymization, or restrict processing, subject to legal limits.
• Right to Withdraw Consent: to withdraw consent at any time; withdrawal does not affect prior lawful processing.
• Right to Be Informed: to ask questions or raise concerns; data subjects may file complaints with the PDPC if rights are violated.

7. Penalties for Non-Compliance

Failure to comply with this Policy may result in disciplinary action and/or legal penalties.

8. Contact Information

If you have questions about this Policy or wish to exercise your rights, please contact:

The Architects & Turnkey Co., Ltd. (Head Office)

Address: 47/47 Moo 9, Bang Len Subdistrict, Bang Yai District, Nonthaburi 11140

Phone: 02-923-2239 ext. 325

Data Protection Officer

Email: dpo@thearchitects.co.th

This announcement is effective as of January 2, 2025.