Matching Maximize Solution Public Company Limited (“MATCH”) and its subsidiaries, including any persons involved in the processing of personal data under the instruction of or on behalf of the Company (collectively referred to as the “Company”), recognize the importance of personal data protection. The Company is committed to ensuring transparency and accountability in the collection, use, and disclosure of personal data in compliance with the Personal Data Protection Act B.E. 2562 (2019) (the “Personal Data Protection Law”), as well as other applicable laws.

This Personal Data Protection Policy (the “Policy”) has therefore been established to set forth details regarding the collection, use, or disclosure (collectively referred to as “processing”) of personal data carried out by the Company, including by employees and other related persons acting on behalf of or in the name of the Company.

Definitions

• Personal Data means any information relating to an identified or identifiable natural person, whether directly or indirectly identifiable, but excluding information of deceased persons specifically.
• Sensitive Personal Data means personal data as prescribed under Section 26 of the Personal Data Protection Act B.E. 2562 (2019), including data relating to race, ethnicity, political opinions, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union membership, genetic data, biometric data, or any other data which may affect the data subject in a similar manner as prescribed by the Personal Data Protection Committee.
• Personal Data Processing means any operation or set of operations performed on personal data, such as collection, recording, copying, organization, storage, retention, modification, alteration, use, retrieval, disclosure, transmission, dissemination, transfer, combination, erasure, or destruction.
• Data Subject means a natural person who is the owner of personal data collected, used, or disclosed by the Company.
• Data Controller means a person or juristic person who has the authority to make decisions regarding the collection, use, or disclosure of personal data.
• Data Processor means a person or juristic person who processes personal data on behalf of or under the instruction of a data controller, and who is not a data controller.
• Personal Data Protection Committee means the committee appointed under the Personal Data Protection Act B.E. 2562 (2019) with duties and authority to supervise, prescribe rules, measures, or guidelines relating to personal data protection.

Collection of Personal Data
          The Company collects personal data for lawful and fair purposes, within defined scopes and by lawful means, and only to the extent necessary for the Company’s operations in accordance with its purposes.

          The Company shall inform data subjects and obtain consent, including electronic consent or through other methods prescribed by the Company, as applicable. In the event that the Company collects sensitive personal data, explicit consent shall be obtained from the data subject prior to such collection, unless the collection of personal data or sensitive personal data falls within the exemptions prescribed under the Personal Data Protection Law or other applicable laws, including but not limited to the following circumstances:

1. For the performance of a contract, where processing is necessary for providing services or fulfilling contractual obligations between the Company and the data subject.
2. For the prevention or suppression of danger to life, body, or health.
3. For compliance with legal obligations.
4. For the legitimate interests of the Company, where such processing is necessary for the Company’s operations and does not override the fundamental rights and freedoms of the data subject, such as fraud prevention, network security, and protection of legal rights and interests.
5. For research or statistical purposes, including historical documentation or archival purposes for public interest, with appropriate safeguards in place.
6. For the performance of tasks carried out in the public interest or under the exercise of official authority vested in the Company.
    

Purposes of Collection or Use of Personal Data
          The Company may collect or use personal data for various purposes depending on the services, activities, and the nature of the relationship between the data subject and the Company. The purposes stated below serve as a general framework for personal data processing:
      1)    To enter into or perform contractual obligations between the Company and the data subject, or between the Company and third parties for the benefit of the data subject.
      2)    To respond to inquiries and provide assistance.
      3)    To develop and improve the Company’s products and services.
      4)    To provide information, marketing communications, promotional offers, or benefits through contact channels provided by the data subject, subject to the data subject’s consent.
      5)    To conduct surveys, analysis, research, and statistical compilation for marketing or business development purposes, subject to consent.
      6)    For internal business administration and operations based on legitimate interests.
      7)    To monitor, supervise, and ensure security within the Company’s premises.
      8)    To disclose information to government authorities or regulators as required by law, such as law enforcement agencies, anti-money laundering authorities, tax authorities, or courts.
      9)    To comply with laws relating to accounting and finance, including audits, billing, debt collection, welfare benefits, tax withholding, and statutory transaction records.
      10)    To carry out procurement and purchasing activities.
      11)    For the legitimate interests of the Company, such as CCTV recording.
      12)    For identity verification, authentication, service usage verification, or exercise of legal rights.
      13)    For organizational management, including recruitment, appointment of directors or executives, and qualification assessment.
      14)    To enhance operational efficiency, including data analysis and process improvement.
      15)    For investigation, compliance with regulations, orders, legal proceedings, court orders, and enforcement of legal rights.
      16)    To maintain records of personal data processing as required by law.
      17)    For other purposes explicitly consented to by the data subject.

          The Company shall retain and use personal data only for the period necessary to fulfill the stated purposes or as required by law.
The Company shall not process personal data beyond the stated purposes unless:
      (1) New purposes have been notified to the data subject and consent has been obtained; or
      (2)Such processing is permitted or required by the Personal Data Protection Law or other applicable laws.

Disclosure and Transfer of Personal Data
           The Company shall not disclose personal data to any third party without the data subject’s consent, except as disclosed in accordance with the stated purposes. However, for operational efficiency and service provision, the Company may disclose personal data to its subsidiaries or third parties, both domestic and international, such as service providers who process personal data on behalf of the Company.

          In such cases, the Company shall require such parties to maintain confidentiality and use personal data only within the scope defined by the Company.

          The Company may also disclose personal data as required by law, including disclosure to government authorities, regulators, or in response to lawful requests related to legal proceedings or enforcement actions.

Personal Data Security Measures
          The Company has implemented appropriate organizational and technical security measures in compliance with applicable laws, regulations, standards, and guidelines to protect personal data. Access to personal data is restricted to authorized personnel with a legitimate need based on the notified purposes.

          Such personnel are required to strictly comply with the Company’s data protection measures and confidentiality obligations. The Company adopts security measures consistent with international standards and requirements prescribed by the Personal Data Protection Committee and promotes awareness and responsibility among its employees regarding personal data protection.

          Where personal data is transferred or disclosed to third parties for services, contractual obligations, or other arrangements, the Company shall ensure that appropriate security and confidentiality measures are in place as required by law.

Rights of Data Subjects
      Data subjects have the following rights: 
      (1)     The right to withdraw consent at any time, without affecting the lawfulness of processing based on consent prior to withdrawal.
      (2)     The right to access personal data and request copies, including disclosure of the source of personal data obtained without consent.
      (3)     The right to request rectification of inaccurate personal data.
      (4)     The right to request erasure of personal data.
      (5)     The right to request restriction of processing.
      (6)     The right to data portability.
      (7)     The right to object to personal data processing.
          Requests to exercise these rights may be submitted in writing or via email using the forms prescribed by the Company through the contact channels provided below. The Company shall respond within 30 days from the date of receipt of the request, subject to legal limitations.

Review and Amendment of the Policy
          The Company may review and amend this Policy from time to time to comply with legal requirements, operational changes, or recommendations from relevant authorities. Any material changes will be clearly communicated prior to implementation.

Contact Information and Exercise of Rights
          For inquiries, suggestions, concerns regarding personal data processing, or to exercise rights under the Personal Data Protection Law, data subjects may contact:

Data Protection Officer (DPO)
Matching Maximize Solution Public Company Limited
379 Soi Sathu Pradit 19, Sathu Pradit Road, Chong Nonsi, Yan Nawa, Bangkok 10120, Thailand
Tel: +66 (0)2-669-4200
Email: dpo@mmsbangkok.com

The full version of this Policy is available in the Company’s Personal Data Protection Policy document.

• Privacy Policy (Full Version)