Privacy Notice (for Employees)

   Mitsubishi Electric Kang Yong Watana Co., Ltd., and its affiliates, including any persons involved in the personal data processing by the order or in the name of Mitsubishi Electric Kang Yong Watana Co., Ltd., (hereinafter collectively called the “Company”), gives priority to the protection of personal data of applicants, employees, workers or contractors of the Company (hereinafter collectively called the “employees or data subject”). Also, in order to comply with the Personal Data Protection Act, B.E. 2562 (2019), the Company has issued this Notice to inform employees of their rights and duties, as well as the terms and conditions for the collection, usage and disclosure of personal data (collectively, “processing”) as follows:

O Personal Data
   “Personal data” means any data about persons, which can identify the persons, whether directly or indirectly, but not including specific information of the deceased.
   “Sensitive data” means personal data about race, ethnicity, political opinions, cult belief, religion or philosophy, sexual behavior, criminal records, health information, disability, union information, genetic information, biological information, e.g. face simulation data, iris simulation data or finger-print simulation data.

O Personal Data Processed by the Company
   For the personal data processing, the Company shall apply lawful methods only as necessary according to operational objectives of the Company as follows:
   1. Data given by employees or data subject while in contact with the Company
      1.1 Personal data, e.g. first name – last name, age, date of birth, gender, age, marital status, nationality, citizen ID card no., passport no., copy of citizen ID card, copy of house registration, work position, affiliation, signature, photograph, social media data, driver’s license no., insurance no. or card, occupation, work history or other government documents for identification, etc.
      1.2 Contact data, e.g. address, telephone no., E-mail, social media accounts, etc.
      1.3 Government document data, e.g. copies of citizen ID card, house registration, passport, alien ID card, driver’s license, professional license, work permit, etc.
      1.4 Academic data, e.g. academic diplomas, academic records, transcripts, proof of education, etc.
      1.5 Financial data, e.g. bank account no., copy of bank passbook, credit card no., income, tax, provident fund, employee benefits (pension or rights due to insurance policy) and other relevant data (e.g. details of withdrawal or allowances), etc.
      1.6 Data about related third parties, e.g. spouse, children, father/mother, emergency contact person, reference person and beneficiary, etc.
      1.7 Data obtained from systems of the Company or from being employees, e.g. employee ID, work permit no., attendance and work records, overtime, absence and leaves, Username, Password for accessing systems of the Company, computer system usage history and behaviors, as well as history and behavior of usage and access to various systems, images and/or video from surveillance
cameras, information on CCTV cameras capturing faces for identification and processing biometrics, etc.
      1.8 Work data, e.g. details about occupation, qualifications, skills, membership of professional organization, experiences, opinions of employers, work performances, training, certification records, CV or resume, professional license no., etc.
      1.9 Data about usage of and access to IT systems that are computers, work systems, websites, applications, network systems, electronic devices, e-mail system in order to comply with the IT Policy of the Company and related laws, etc.
   2. Data obtained by the Company from other sources
   The Company may collect your personal data from sources accessible by general public and third parties:
      2.1 If you apply for a job through a third party, such as a recruitment agency, our company group website, or a recruitment website of third party, the Company may receive information about your job applications from those third parties.
      2.2 For health records from hospitals conducting annual health check-ups organized by the Company, it may obtain your health information from such third parties.
   In this regard, if employees refuse to provide the required personal data in order to comply with the law or contract, or to enter into a contract with the Company, it may cause the operations according to the contract and the rights to access welfare or the services provided by the Company unable to be completely executed.
   The Company shall collect personal data only after receiving consent from the data
subject except in the following cases:
   1. It is to comply with the contracts, in case that the collection, usage or disclosure
of personal data is necessary to provide services or proceed in compliance with the
contracts between the data subjects and the Company.
   2. It is to prevent or suppress danger to life, body or health.
   3. It is to comply with the law.
   4. It is for legitimate interest in case that it is necessary for the legitimate interest in the operations of the Company, which the Company shall mainly consider the rights of data subjects such as to prevent fraud, maintain security of the network systems, protect rights, liberty and interests of the data subjects, etc.
   5. It is for research study or statistics in case of preparation for the historical documents or archives for public interest, or for activities related to research study or statistics with proper protective measures in order to protect rights and liberty of data subjects.
   6. It is to perform state missions in case that it is necessary to carry out the mission for public interest or compliance with the duties assigned by the state authority to the Company.

O Sensitive data
   The Company may necessarily collect sensitive, e.g. religion, race, biological information, disability, health information, criminal records, which it shall request consent from employees every time for collection, usage and/or disclosure, except:
   1. It is to prevent or suppress danger to life, body or health of persons, which the data subjects are unable to grant their consents.
   2. It is a legitimate activity with proper protections of foundations, associations or non- profit organizations with the objectives related to politics, religious, philosophy, or labor union to their members, former members or the regular contact for such objectives without disclosing that personal data outside the foundations, associations or non-profit organizations.
   3. It is the data is made public with explicit consents of data subjects.
   4. It is necessary for legal claims, compliance with or exercises of legal rights, or the defense against the exercise of statutory rights.
   5. It is necessary for the compliance with the law to achieve objectives about
      5.1 Preventive medicine or occupational medicine, employee competency assessment, medical diagnosis, health or social services, medical treatment, healthcare management or the social work service system
      5.2 Public health benefits, e.g. health protection from dangerous contagious diseases or epidemics
      5.3 Labor protection, social security, national health security, medical treatment welfare for legal persons, road accident victims protection or social protection
      5.4 Scientific, historical or statistical research study or other public interest
      5.5 Important public interest
   If the documents you submit to the Company contain sensitive personal data such as race, blood group, religion, and so on, and the Company has no intention of processing such sensitive personal data, the Company requests that you black out or delete any sensitive personal data. If you do not, the Company may black out or delete such sensitive personal data, and it will be assumed that the Company already has your legal consent.

O Cookies Policy
   The Company uses cookies on its website. For further information on how the cookies are used by the Company, please review the Cookies Policy of the Company.

O Objectives of the Personal Data Processing
   Data processing specified under this Notice shall be deemed necessary for the Company to execute as the employer with the objectives as follows:
   1. To be in compliance with the contract as the employer.
   2. To comply with the law on labor protection and social security.
   3. To recruit personnel and assess your qualifications to match its work positions
   4. To comply with the required laws, e.g. tax payments and other legal duties.
   5. To evaluate skills and work ability
   6. To be used for work coordination
   7. To make payments for employment welfares and benefits.
   8. To be used for approval, authorization or processes related to work.
   9. To verify the qualifications and suitability for the work positions.
   10. For granting access rights to the premises and properties of the Company.
   11. For trainings, management and support of health and safety of employees
   12. To verify employment status for approval of credit card or loan applications
   13. For operations in accordance with rules, regulations, order or restrictions of Social Security Office, Department of Labor Protection and Welfare, Revenue Department, Department of Employment, Immigration Bureau, e.g. employee registration, remittance of social security, withholding tax, etc.
   14. To reorganize or modify business of the Company in the case that it: (1) must comply with negotiations for the sale of the Company's business or part of it to third parties; (2) is sold to third parties; or (3) is for new organizational restructuring, which the Company may need to transfer your personal data, in whole or in part, to relevant third parties (or their consultants) as part of the Due Diligence Process for the purpose of sales analysis or for the proposed restructuring. The Company may also need to transfer your personal data to the restructured juristic persons or third parties after the sale or reorganization so the persons can use it for the same purposes as stated in this Notice.
   15. In connection with legal or regulatory obligations
   16. To meet the regulations required of Company or to negotiate with regulatory authorities as appropriate, which may include disclosing your personal data to third parties, court and/or regulatory services, or law enforcement agencies in connection with the trial or investigations by such persons anywhere in the world or wherever it is compulsory to do so. Where applicable, the Company shall send you such request. or notify you before agreeing on the consent unless such action will affect the protection or detection of crime.
   17. Please note that in addition to the processing specified above, the Company may disclose personal data for the purposes described by the Company in this Notice to service providers, contractors, agents, consultants (e.g. legal, financial, business advisors or otherwise) and our affiliates conducting activities on behalf of the Company and other members of the Mitsubishi Electric Group. Especially for job applicants, the Company may disclose your required personal data to other members of the Mitsubishi Electric Group for the consideration of your job applications and job offers.

O Transfer and Disclosure of Personal Data
   The Company shall not disclose or transfer personal data of employees to external agencies, unless with explicit consent from employees or in any of the following cases:
   1. To achieve the objectives as specified in this Privacy Policy, the Company may be required to disclose or share specific data only as necessary to partners, service providers or external agencies, the Company shall prepare agreements on personal data processing as required by laws.
   2. The Company may disclose or share the personal data to agencies under or affiliated with the Company, which shall be data processing under the objectives as specified in this Privacy Policy only.
   3. The law or legal process requires data disclosure or release to officers, government officials or authorized agencies in order to comply with lawful orders or requests.
   4. To government agencies as obliged by duties of the employer, e.g. Social Security Office, the Revenue Department, the Legal Execution Department, etc.

O Transmission or Transfer of Personal Data Abroad
   The Company may transmit or transfer your personal data abroad by ensuring that the destination countries or agencies have adequate personal data protection standards.
   However, in case that the destination countries have inadequate personal data protection standards, the Company shall perform the transmission or transfer of personal data in accordance with rules and procedures for the adequate personal data protection standards, which must comply with the exceptions according to the rules specified by the Company without contravening the law.

O Personal Data Protection
   The Company shall apply technical measures and proper management to protect and maintain security of the personal data of employees by performing encryption for data transfer via the internet and restricting the access to your personal data only to related persons both as documents and in electronic formats.

O Data Retention Period
   The Company shall retain personal data of employees throughout the period of
employment or obligation of employees with the Company. It also reserves the rights to retain
the data for 10 (ten) more years after termination of employment in order to protect and
defend any claims of/against the Company. Unless required by relevant law to retain the
personal data for other durations, the Company may need to retain the data longer than
the specified periods.

O Internet Security
   1. Transmission of data via the internet or websites may not guarantee the security from intrusion. However, the Company shall maintain physical defense, electronic protection and proper safeguard in commercial aspect in order to protect your personal data as required by legal regulations on data protection.
   2. All information provided by you to the Company shall be stored in secure servers of the Company, and shall be accessed and used according to the policies and measures on security of the Company. In case that the Company provides a password to you (or in case that you have chosen a password), which allows you to access a part of the website of the Company, you are responsible for keeping the password confidential and complying with any other security procedures that the Company informs you. The Company requires that you do not reveal the password to anyone at all.

O Connection to External Websites or Services
   Services of the Company may connect to websites or services of third parties, which their privacy policies may contain different contents from this Policy. The Company recommends you to study the privacy policies of those websites or services in order to acknowledge the details before accessing them. In this regard, the Company has no association or control over their personal data protection measures, and cannot be responsible for the contents, policies, damages or actions caused by the websites or services of the third parties.

O Revision of the Privacy Notice
   The Company may revise the Privacy Notice by announcing it via internal communication channel: along with the latest revision date. The Company recommend employees to check this Notice regularly.

O Data Subject Rights
   Employees can exercise the rights granted by laws and specified in this Policy as follows:
   1. Right to withdraw the given consent. Employees can exercise this right at any time unless there are legal restrictions or contracts beneficial to employees. However, the withdrawal of consent shall not affect the personal data processing due to the lawful consent previously given to the Company.
   2. Right to request an access and obtain a copy of the personal data, unless in case
that the Company has the right to decline the request of employees by law or court
orders, or in case that the request of employees may jeopardize the right and liberty of
the others.
   3. Right to request modification of the data to become up-to-date, accurate, complete and not misleading. In this regard, the Company may proceed with the modification even without the request of employees.
   4. Right to request deletion, disposal or anonymization of the personal data in the following cases:
      4.1. When the personal data is no longer necessary according to the objectives for the collection, usage or disclosure of the personal data
      4.2. When employees have withdrawn the consent for the collection, usage or disclosure of the personal data, and the Company no longer has the legal authority to collect, use or dispose of the personal data.
      4.3. When employees object to the collection, usage or disclosure of the personal data, and the Company no longer has the legal authority to decline, unless the Company has legal cause to refuse the request of employees.
   5. Right to request acquisition, transmission or transfer of the personal data of employees in case that the Company has processed it in formats that are readable or operable generally by automated tools or devices, and useable or disclosable by automated methods, unless it is unable to do so due to technical conditions, to perform duties for the public interest, in compliance with the law, or infringement of rights or the freedom of the other persons.
   6. Right to request objection, which employees can object the collection, usage or disclosure of the personal data at any time, in the following cases:
      6.1. In case of the personal data processed under legitimate interest of the Company, unless it has demonstrated a more important legal ground, or it is to establish legal claims, comply with the law, exercise the legal rights, or defend legal claims.
      6.2. For the purpose about direct marketing
      6.3. For scientific, historical or statistical research study, unless it is necessary for the Company to operate for its public interest.
   7. Right to request suspension of personal data usage in the following cases:
      7.1. When the Company is in the process of verifying the request of employees to modify the personal data to be accurate, up-to-date, complete and not misleading,
      7.2. When the personal data must be deleted or disposed of,
      7.3. When the personal data is no longer needed because it is necessary for employees to keep their own personal data to establish legal claims, comply with the law, exercise the legal rights, or defend legal claims,
      7.4. When the Company is in the process of proving the right to decline the objection to the collection, usage or disclosure of the personal data
   8. Employees have the right to file complaints to the Expert Committee according to the Personal Data Protection Act, B.E. 2562 (2019), if the Company violates or does not comply with the Personal Data Protection Act, B.E. 2562 (2019).
   In this regard, the Company reserves the rights to consider your request and proceed as required by personal data protection law.

O Contact Us
   Should the employees have any inquiry, wish to request modification, deletion, exercise of rights, or concern about other matters, please contact us via the communication channels below.

O Contact Information
   Mitsubishi Electric Kang Yong Watana Co., Ltd.,
   Data Protection Officer

   28 Krungthep Kreetha Rd., Huamark,
   Bangkapi, Bangkok 10240
   Telephone : 0-2763-7000 ext. 5018, 5014, 5012
   Facsimile : 0-2379-4759
   E-mail : [email protected]
Announced on June 1, 2022

Mitsubishi Electric Kang Yong Watana Co., Ltd.