Personal Data Protection Policy

Sky CC Co., Ltd. (the “Company”) recognizes the rapid advancement of modern information and communication technologies. As such, the Company places great importance on respecting your privacy rights and ensuring the security of your personal data. The Company has established policies, procedures, and operational guidelines to ensure the security of personal data, thereby providing assurance that your personal data will be used solely for its intended purposes and in accordance with applicable laws.

The Company acknowledges the significance of personal data protection in accordance with the Personal Data Protection Act B.E. 2562 (2019) and all relevant laws, rules, regulations, and official directives (collectively referred to as the “Personal Data Protection Laws”). Therefore, this Personal Data Protection Policy (hereinafter referred to as the “Policy”) has been prepared. This Policy describes the Company’s approach to the collection, retention, use, and disclosure of personal data, as well as the rights of data subjects. It is intended to inform data subjects of how their personal data is protected by the Company.

As a Data Controller and Data Processor, the Company collects, stores, uses, and discloses personal data for the purpose of conducting business operations such as procurement, contracting, corporate activities, coordination, or improving the efficiency of internal processes—including database creation, data analysis, and process development. The Company also processes personal data for other lawful purposes and/or in compliance with applicable laws or regulations related to its business operations.

The Company commits to collecting, retaining, using, and disclosing only the necessary personal data in alignment with the purposes stated to the data subjects or as required by law. This Policy has been developed to protect the personal data of data subjects, stakeholders, or any individuals involved with the Company. The specific objectives of the Policy are as follows:

• To define the roles and responsibilities of departments, executives, employees, and all personnel involved in handling personal data.
• To establish procedures and security measures to ensure the protection and confidentiality of personal data.
• To provide operational guidelines for personnel responsible for or involved in the processing of personal data.
• To foster confidence among employees, customers, partners, service users, and other stakeholders regarding the Company’s commitment to personal data security and protection.

• This Policy applies to all members of the Board of Directors, executives, employees, contractors, external service providers, partners, and any other persons involved with or affected by the Company’s processing of personal data.
• This Policy applies to all Company operations and activities that involve the collection, use, storage, or disclosure of personal data.

The collection of personal data shall only be carried out for specific and necessary purposes in alignment with the stated objectives, or for purposes directly related to the objectives of such data collection. The data subject shall be informed prior to, or at the time of collection, or as instructed by the Data Controller. The information provided will include the following:

1. The types of personal data collected
2. The purposes for collecting each type of personal data
3. The data retention period
4. The categories of persons or entities to whom the personal data may be disclosed
5. Contact information of the Company
6. Rights of the data subject
7. The consequences of refusing to provide personal data (in cases where providing such data is legally required or necessary for entering into or fulfilling a contract)

• a) Contractual Basis: Necessary for the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject prior to entering into a contract.
• b) Legal Obligation: Necessary for compliance with a legal obligation to which the Data Controller is subject.
• c) Public Task: Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller.
• d) Vital Interest: Necessary to prevent or suppress a danger to the life, body, or health of a person.
• e) Legitimate Interest: Necessary for the legitimate interests of the Data Controller or a third party, provided that such interests do not override the fundamental rights and freedoms of the data subject.

The Company will not collect sensitive personal data such as race, religion, criminal records, health information, disability status, biometric data, voiceprint, or any other data as defined by law, unless it is necessary and the data subject has given explicit consent, or the collection is carried out under the instruction of the Data Controller. Exceptions apply in cases where the law permits collection without the need for consent.

The use or disclosure of personal data shall be limited to the purposes for which the data subject was informed at the time of or before data collection, or as necessary and directly related to those purposes. Consent must be obtained from the data subject, unless legal exceptions apply or where the use or disclosure is required by law.

Persons or legal entities who receive personal data, either through the data subject’s consent or as data processors, must use the data only for the purposes consented to by the data subject and as specified by the Company.

However, the Company may disclose personal data under legal conditions, such as disclosure to government agencies, regulatory bodies, or under lawful requests (e.g., in legal proceedings, lawsuits, or requests from private entities involved in legal processes).

The Company may need to transfer or transmit your personal data to affiliated companies or business entities located overseas, or to other recipients as part of its normal business operations—for example, storing data on servers or cloud systems located in other countries. Such transfers will be carried out in accordance with applicable legal requirements. The Company will implement appropriate and necessary safeguards to ensure the protection and confidentiality of your personal data, in line with international standards for data processing and security.