Personal Data Protection Act
Privacy Center
Personal Data Protection Policy (Revised version 2021) (TH) (EN)

Notification of IRPC Public Company Limited
No. 006/2021
Personal Data Protection Policy of IRPC Public Company Limited
(Revised version 2021)
IRPC Public Company Limited (“ the Company” or “ IRPC”) , associated companies and companies under IRPC Group have realized the importance of personal data protection and have strived to maintain safety and security measures on personal data in accordance with appropriate standards at an international level. Therefore, the Company has established and disseminated this personal data protection policy (“the Policy”) to every relevant party for their acknowledgement. Such policy shall be in effect for every executive, employee, external party and contractor. In addition, the executives of every division shall be responsible for supporting, encouraging and auditing the Company’s operations to ensure their strict compliance with policies and laws relating to personal data protection as follows:
1. Personal data collection shall be conducted in a restricted manner and only when deemed as necessary as well as to comply with the established objectives, policies, handbooks and/ or guidelines set forth by the Company.
2. For the quality of data collected, the Company shall take into consideration the accuracy and appropriateness, while putting in place suitable security and risk management measures, as well as creating an awareness of, and responsibility for, the security of personal data.
3. The objectives of collection, use or disclosure of personal data, in accordance with the law, and data shall be processed according to the specified objectives. Personal data collected shall not be disclosed to any external parties except in the following circumstances:
(1) Vital interest
(2) Contract
(3) Official authority
(4) Legitimate interest
(5) Legal obligation
(6) Research or statistics
(7) Consent
4. To publicize and disseminate the policy, including guidelines on personal data protection via the Company’ s website and to carry out other duties as stipulated by law. For example, to establish measures to support the data subject to exercise his/ her right, to specify the responsibility of the data controller and data processor as well as to appoint the DPO etc.
5. Every personnel of the Company shall have an awareness and responsibility while being ready to protect personal data of other related parties as if they were their own personal data.
The objectives of this policy are to inform every sector of the details of the collection, use or disclosure of personal data, including the transfer of such data to other countries, measures in handling and safety of personal data to ensure its strict compliance with the Personal Data Protection Act B. E. 2562 (“ Personal Data Protection Act”) , relevant laws and must be in line with personal data protection standards at an international level. Consequently, the Company has endeavored to collect personal data only as deemed necessary, while limiting personal data collection only to achieve the established objectives in order to provide services to the data subject and to process data only as determined in the objectives.
1. Scope
This Personal Data Protection Policy must be applied to personal data in which the Company may collect, use, disclose or transfer to other countries. Such personal data belong to the following groups of people:
1) Customers of Petrochemical, Petroleum, Port and Asset Management Groups and other types of customers which encompass:
a) A natural person whether he/she is the Company’s present, past or future customer
b) Employee, personnel, staff, representative, agent, authorized person of a juristic person, director, contact person and a natural person who acts on behalf of the juristic person who is also the Company’s customer ผู้ติดต่อ และบุคคลธรรมดาอื่นที่กระทำในนามนิติบุคคลซึ่งเป็นลูกค้านิติบุคคลของ บริษัทฯ
2) Business partners, counterparties which encompass the following:
a) A natural person who is the Company’s business partner or counterparty, at present, in the past or in the future
b) Employee, personnel, staff, representative, agent, authorized person of a juristic person, director, contact person and a natural person who acts on behalf of the juristic person who is also the Company’s customer
3) Shareholders, investors, including any persons interested in the Company’s investment
4) Visitors and external parties entering the Company’s premises whereby the Company must gather their personal data to ensure the security of the area under responsibility
5) CSR stakeholders or any persons whom the Company may maintain their personal data to proceed with social activities or other related purposes
6) Personnel, employees and applicants which include a family’s member, or a person referred to by such employee or applicant
This Personal Data Protection Policy also encompasses different channels between the data subject and the Company which enable the Company to receive or collect personal data, whether they be the communication channels for the business groups of the Company, electronic systems, website, call center or customer service center, channel for filing complaints or for providing suggestions or criticisms, online communication channel, application for mobile devices, activities, public areas or communities under the Company’s responsibility toward society and/or for other relevant purposes.
The Personal Protection Policy explains various types of personal data collected by the Company, procedures, sources of data and objectives of the collection, use, disclosure, and transfer of personal data to other countries. Persons whose personal data may be disclosed or transferred by the Company, retention period of personal data and rights of the data subject must be in accordance with the Personal Data Protection Act, including appropriate safety measures as follows:
2. Definitions Referred to in this Policy
“Associated Company” refers to IRPC Public Company Limited, subsidiaries and joint ventures of the Company, including an authorized representative of such company.
“Personal Data” refer to data of a person which help identify such person, whether directly or indirectly, in which the Company has collected as notified in this Policy; for example, name, last name, nickname, address, telephone number, ID number, passport number, social security number, driver’ s license number, tax ID number, bank account number, credit card number, education background, financial status, health record, work experience, criminal record, email address, license plate number, title deed, IP address, cookie ID, log file etc.
However, the following forms of data are not considered personal data such as data for business contact, that does not identify such person. For example, the company’s name, address of the company, juristic ID of the company, office phone number, office email address, email address of the Company Group, anonymous data or inherent data which are considered pseudonymous data, data of the deceased person etc.
“Sensitive Personal Data” refers to personal data stipulated by the Personal Data Protection Act as sensitive data. The Company shall collect, use, disclose or transfer sensitive personal data abroad, provided that the data subject has already given his/her consent. Sensitive personal data shall include data pertaining to nationality, race, political opinion, cult, religion or philosophy, sexual behavior, criminal record, health record, disability, trade union information such as membership data etc. , genetic data, biometric such as facial recognition data, iris recognition data, voice identification data, fingerprint recognition data for identity authentication purposes, including other information which may affect the data subject in the same manner according to the notification of the Personal Data Protection Committee.
“Data Processor” refers to the collection, use or disclosure of personal data
“Data Subject” refers to a person who owns such personal data, but not in a case that the person has ownership or is the creator or collector of such data. The data subject shall refer to a natural person and does not include a juridical person constituted by law such as company, association, foundation or any other organizations.
3. Cookies and Use of Cookies
While browsing the Company’ s website, cookies may be placed in the viewer’s device, while data may be collected automatically. Some cookies may be required in order to facilitate the proper operation of the website, whereas others shall be used to facilitate the viewers and enable them to browse additional information regarding the Company’s cookies policy.
4. Improvement of Personal Data Protection Policy
The Company may review, improve and change this Personal Data Protection Policy from time to time to ensure its consistency with relevant guidelines, laws, rules and regulations. Nonetheless, upon any changes in this Policy, the Company shall publish the revised policy via the Company’ s website, including other channels.
5. Retention Period and Safety Measures
The Company shall maintain personal data as long as deemed necessary and appropriate in order to achieve the objectives specified in this Policy. The Company shall take into consideration the appropriate data retention period, contract period, prescription, including the necessity to further data collection for the duration required for the purpose of legal compliance, internal and external audit or audit of major shareholders, assessment, constitution or exercising of legal claim.
The Company shall maintain and keep your personal data in a safe and appropriate manner, whether in a form of document, computer and electronic system. Thus, you can be confident of the Company’s security measures which are appropriate and in line with international standards in order to prevent any losses, accesses, uses, changes, rectifications or disclosures of personal data improperly or without legitimate authorization.
Nonetheless, the Company has restricted the access and use of technology on the safety of your personal data to prevent any unauthorized accesses to computer or electronic system. Besides, in a case that your personal data may be disclosed to the external party who processes data or to the data processor, the Company shall supervise such person to proceed appropriately and in compliance with the order.
6. Rights of the Data Subject
The consent given by the data subject to the Company for the objectives of collection, use and disclosure of personal data shall remain usable until the data subject revokes his/her consent in a written document. The data subject can revoke his/ her consent or withhold the use or disclosure of personal data in order to proceed with any activities which can be achieved by sending the data subject’s request to the Company for acknowledgement in a written document or via email to PDPAcenter@irpc.co.th
Furthermore, the data subject is entitled to request his/ her legal rights within the criteria stipulated by the Personal Data Protection Act as indicated below:
• Rights of Access
The data subject is entitled to request for right of access to his/ her personal data collected by the Company and the data subject is entitled to request the Company to provide him/her with a copy of such personal data.
• Right to Data Portability
The data subject is entitled to request for his/ her personal data in a form the Company has already organized and can be read with an electronic form. Besides, the data subject is also entitled to request for data submission to other persons or the data subject himself/herself for a specific reason.
In addition, the Company may collect some fees if such request is made or when such exercising such right is extremely redundant or if it requires the Company to undertake excessive technical or administrative efforts.
• Right to Rectification
The Company shall endeavor to retain accurate and up- to- date personal data to ensure its integrity and avoid any misunderstandings. The data subject is entitled to be rectified, any inaccurate personal data changed or more details added on such personal data, in order to ensure their completion.
• Right to Object, Right to Erasure and Right to Restriction of Processing
The data subject is entitled to object the collection, use or disclosure of personal data within the criteria prescribed by law. Besides, the data subject is entitled to request the Company to erase or destroy such personal data or to make such personal data unable to identify personal identity by any means and the data subject also has the right to restriction of processing, except for legal restriction.
• Right to Withdraw Consent
The data subject is entitled to revoke his/her consent on data processing when the data subject has already given his/ her consent throughout the period, except in a case that such revocation of consent may incur some legal or contract restrictions. However, such revocation of consent shall not affect personal data processing which has previously been given legitimate consent to the Company.
• Right to be Informed
In case you have any concerns or inquiries about your compliance with the Personal Data Protection Act or personal data processing, please contact the Data Protection Officer or PDPA Center as detailed in this Policy. In a case where any breaches of personal data protection law have been found, the data subject who has been violated is entitled to file complaint to the authorized officer as set forth in the Personal Data Protection Act.
Nonetheless, the Company shall endeavor, depending on relevant system, to facilitate and proceed with the request without further delay unless it appears that such proceeding is unreasonable or may violate other people’ s personal data protection or deemed as a violation against the law or beyond one’s power to proceed with such request.
7. Contact Information
If you have any questions regarding this privacy policy or if you wish to exercise the right to processing your personal data, you can contact:
Data Protection Officer (DPO)
Email: PDPAcenter@irpc.co.th
PDPA Center, IRPC Public Company Limited
555/2 Energy Complex Building, Building B, 10th floor, Vibhavadi Rangsit Road
Chatuchak, Chatuchak Bangkok 10900
Tel: 02 7657000
Website: www.irpc.co.th
8. Additional Guidelines
The executives, employees, the Company and associated companies, companies under IRPC Group shall regularly perform self- audits to ensure that their operations are in line with the policies, guidelines, handbooks and laws and whether such operation is involved with personal data as well as how to operate in accordance with the Policy. Besides, they shall also:
• Endeavor to understand the content of rules, regulations, policies, guidelines which are considered part of the Policy, including other handbooks
• Endeavor to understand laws, rules and regulations which relate to the operation and personal data protection on a regular basis
• In a case where noncompliance has been found out, please report such matter directly to email: PDPAcenter@irpc.co.th or via other contact channels specified by the Company.
9. Review of Personal Data Protection Policy
The Company may review and improve the Personal Data Protection Policy or guidelines on a regular basis to ensure their compliance with relevant laws. Nonetheless, if there are any improvements, changes or rectifications, the Company shall notify such improvements, changes or rectifications via the Company’s website at www.irpc.co.th



Announced on 1 April 2021

Mr. Chawalit Tippawanich
President and Chief Executive Officer
IRPC Public Company Limited