The Thai Summit Harness Group (“the Company”) recognizes and places the utmost importance on the protection of personal data and the privacy rights of employees, customers, suppliers, contractors, visitors, job applicants, and all stakeholders. This commitment forms an integral part of the Company’s corporate governance, risk management, ethical business conduct, and sustainable business operations in accordance with human rights principles, applicable laws, and international standards.
The Company is committed to collecting, using, disclosing, storing, transferring, and processing personal data in a lawful, transparent, fair, secure, and accountable manner in compliance with the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”), including relevant international standards such as GDPR, ISO/IEC 27701, and ESG and Human Rights Compliance principles.
To ensure efficient operations, transparency, and stakeholder confidence, the Company hereby establishes this Personal Data Protection and Privacy Policy as follows:
________________________________________
1. Purpose
1.1 To establish standards, guidelines, and measures for personal data protection in compliance with applicable laws and international standards.
1.2 To protect the rights and freedoms of data subjects.
1.3 To define the roles, responsibilities, and accountability of management, employees, and related parties in relation to personal data management.
1.4 To promote effective Data Governance and Information Security Management practices.
1.5 To support sustainable business operations in accordance with ESG and Human Rights principles.
________________________________________
2. Scope of Application
This Policy applies to:
• Thai Summit Harness Public Company Limited
• Affiliated companies
• Directors, executives, and employees
• Temporary staff and outsourced personnel
• Consultants and interns
• Third-party service providers
• Data processors
• Any individuals or entities involved in the processing of personal data on behalf of the Company
This Policy covers personal data processing in all forms, including:
• Physical documents
• Electronic systems
• Cloud systems
• Information technology systems
• CCTV systems
• Communication devices and digital platforms
________________________________________
3. Definitions
“Personal Data”
Any information relating to an identifiable natural person, directly or indirectly, including but not limited to:
• Full name
• National identification number
• Telephone number
• Email address
• Photographs
• Location data
• IP address
• Employment-related information
“Sensitive Personal Data”
Personal data classified as sensitive under applicable laws, including:
• Racial or ethnic origin
• Religious beliefs
• Health information
• Biometric data
• Criminal records
• Trade union information
“Data Controller”
A person or legal entity with authority to make decisions regarding the collection, use, or disclosure of personal data.
“Data Processor”
A person or legal entity processing personal data on behalf of or under instructions from the Data Controller.
“Data Subject”
A natural person who is the owner of the personal data.
“Data Protection Officer (DPO)”
A person appointed to oversee, monitor, and provide advice regarding compliance with personal data protection laws.
________________________________________
4. Personal Data Protection Principles
The Company shall process personal data in accordance with the following principles:
4.1 Lawfulness, fairness, and transparency
4.2 Purpose limitation and data minimization
4.3 Use limitation in accordance with specified purposes
4.4 Accuracy and data quality maintenance
4.5 Storage limitation and retention control
4.6 Integrity and confidentiality of personal data
4.7 Accountability and auditability
________________________________________
5. Legal Basis for Processing
The Company shall process personal data based on lawful grounds, including:
• Contractual necessity
• Legal obligations
• Consent
• Legitimate interests
• Vital interests
• Public interest
________________________________________
6. Collection, Use, and Disclosure of Personal Data
The Company shall collect, use, or disclose personal data only to the extent necessary for legitimate business purposes, including:
• Human resource management
• Payroll and welfare administration
• Customer and supplier management
• Security administration
• IT and cybersecurity management
• Legal and regulatory compliance
• Internal audit and risk management
The Company shall not disclose personal data to third parties unless:
• Consent has been obtained
• Disclosure is required by law
• Disclosure is ordered by government authorities or courts
• Disclosure is necessary for legitimate business operations under appropriate safeguards
________________________________________
7. Employee Personal Data Protection
The Company shall protect employee personal data throughout the employment lifecycle, including:
• Recruitment
• Interview process
• Employment administration
• Performance evaluation
• Training and development
• Compensation and benefits management
• Disciplinary actions
• Employment termination
Examples of employee personal data include:
• Personnel records
• Health information
• Salary information
• Bank account details
• Social security information
________________________________________
8. CCTV and Workplace Monitoring
The Company may implement CCTV systems or workplace monitoring measures for purposes including:
• Security protection
• Accident prevention
• Fraud prevention
• Protection of Company assets
• Investigation of unlawful conduct
Such monitoring shall be conducted based on necessity, proportionality, and respect for individual privacy rights.
________________________________________
9. Information Security Measures
The Company shall implement appropriate:
• Administrative controls
• Technical controls
• Physical controls
Examples include:
• Access control management
• Password protection
• Encryption
• Firewalls
• Antivirus systems
• Data backup
• Log monitoring
• Data classification
• Secure disposal procedures
________________________________________
10. Cross-Border Data Transfer
The Company may transfer personal data to overseas countries or international organizations under:
• Adequate data protection standards
• Data protection agreements
• Safeguards in accordance with PDPA and GDPR requirements
________________________________________
11. Rights of Data Subjects
Data subjects have the right to:
• Access personal data
• Obtain copies of personal data
• Request correction of inaccurate data
• Withdraw consent
• Object to processing
• Request restriction of processing
• Request erasure or destruction
• Request data portability
• File complaints with regulatory authorities
________________________________________
12. Personal Data Breach Management
The Company shall establish:
• Incident Response Procedures
• Data Breach Reporting mechanisms
• Root Cause Analysis processes
• Corrective and Preventive Actions (CAPA)
In the event of a personal data breach, the Company shall:
• Assess impacts and risks
• Mitigate damages
• Notify relevant regulatory authorities as required by law
• Notify affected data subjects where high risks exist
13. Third-Party Data Processor Management
The Company shall appropriately manage third-party service providers through:
• Data Processing Agreements (DPA)
• Confidentiality obligations
• Security assessments
• Vendor compliance reviews
________________________________________
14. Data Retention and Disposal
The Company shall retain personal data only for:
• Necessary retention periods
• Legal compliance requirements
• Legitimate business purposes
Upon expiration of retention periods, the Company shall securely:
• Delete
• Destroy
• Anonymize personal data
in a manner that is secure and auditable.
________________________________________
15. Training and Awareness
The Company shall provide continuous:
• PDPA training
• Cybersecurity awareness programs
• Privacy awareness campaigns
• Internal communication activities
to employees and relevant stakeholders.
________________________________________
16. Audit and Compliance Monitoring
The Company shall conduct:
• Internal audits
• Compliance monitoring
• Risk assessments
• KPI monitoring
• Management reviews
Examples of KPIs include:
• Number of personal data incidents
• PDPA training completion rates
• Response time for data subject requests
• Internal audit assessment results
________________________________________
17. Disciplinary Actions
Any person who violates or fails to comply with this Policy may be subject to:
• Disciplinary action
• Employment termination
• Civil liability
• Criminal penalties
• Claims for damages
in accordance with applicable laws and Company regulations.
________________________________________
18. Policy Review and Improvement
The Company shall review and update this Policy at least annually or when:
• New laws or regulations are enacted
• Business operations significantly change
• Cybersecurity or data breach incidents occur
• Additional customer, supplier, or international compliance requirements arise
________________________________________
19. Contact Information
If employees or data subjects have questions, concerns, or requests regarding personal data protection, they may contact the Data Controller or Data Protection Officer (DPO) at:
Thai Summit Harness Public Company Limited
202 Moo 3, Thungsukla Subdistrict, Sriracha District, Chonburi 20230, Thailand
Tel: +66 38 490 760-7
Thai Summit Cable and Parts Co., Ltd.
500/89 Moo 3, Tasit Subdistrict, Pluak Daeng District, Rayong 21140, Thailand
Tel: +66 38 659 750-58
Thai Summit Components Co., Ltd.
149 Moo 17, Bangna-Trad Road, Bang Sao Thong Subdistrict, Bang Sao Thong District, Samut Prakan 10570, Thailand
Tel: +66 2 705 2291-5
________________________________________
This Policy is hereby announced for acknowledgment and strict compliance by all concerned parties.
Announced on 22 May 2026
.............................................................
( Mr. Jutinat Sirimangkalkitti )
Wiring Harness Business Director
