Privacy Policy for Shareholders and Stakeholders

DEMCO always respects the privacy rights of shareholders and stakeholders, who hold status as owners of personal data. Throughout this policy, they will be referred to as “the associate". This policy has been created to ensure the associate’s confidence in the protection of his/her personal data. It is an extension of the "DEMCO Business Group Personal Data Protection Policy" and provides details on the collection, usage, and disclosure (collectively referred to as "processing") of the associate personal information which includes online and other channels of deletion and destruction of you his/her personal data, as mandated by data protection laws.

1. Definitions

   Shareholder

   Refers to an individual who legally owns shares in the proportion or the value of shares held, as be listed in the Company's register of shareholders.

   Stakeholder

   Refers to an individual or a group that be affected by the Company's business operations, whether directly or indirectly. This includes employees, shareholders, investors, customers, consumers, business partners, local community where the organization is located, government authorities, and regulatory sector who is responsible for policymaking and enforcement. These definitions align with those provided in the "DEMCO Business Group Personal Data Protection Policy."

   Besides the definitions of the words stated above, the other words shall carry the meanings as defined in the "DEMCO Business Group Personal Data Protection Policy."

2. Objectives of Personal Data Processing
   1. In Compliance with Laws: The processing of personal data by DEMCO is aimed at complying with legal requirements. This includes the management of the Company, such as establishment, capital increase or decrease, corporate structure transformation, change of registered items, shareholders meetings, directors nomination and appointment, board of directors meetings, managing shareholder rights and responsibilities, dividend payments, interest payments on debentures, accounting and reporting, document verification, document delivery for shareholder meetings, or those adhere to securities and stock market regulations and other relevant legal obligations.
   2. For the lawful benefit of DEMCO or others: Personal data processing is conducted for the benefit of DEMCO or other individuals. This encompasses the Company management, record from meetings, security, and utilizing legal rights for claims.
   3. For Health and Safety: Processing personal data is undertaken to prevent and mitigate risks to life, body, or health of the associate or the others. This includes the cases of emergency contacts and communicable disease control.
   4. For Activities and Communication: The processing of personal data is carried out for the associate’s benefits such as DEMCO’s projects visit activities, social and environment activities including volunteers for Green Roof Project.

   The collection, usage, and disclosure of the associate’s personal information for the purposes mentioned in 2.1, 2.2, and 2.3 can be carried out by DEMCO without explicit consent as required by laws. For the purpose mentioned in 2.4 and the others require consent, which details can be studied more in section 4.

3. The collected Personal Data
   1. DEMCO collects personal data directly from shareholders, stakeholders, or from authorized representatives such as for shareholding, stock borrowing, and indirectly through brokers or registrars. This includes the information such as name, address, phone number, email, contact preferences, nationality, occupation, date of birth, tax ID, national ID, company registration number, bank account details, no. of shares holding.
   2. DEMCO gathers personal information from board members and those nominated as board members. This information is collected directly from individuals, as well as from government agencies, regulatory sector, and publicly disclosed sources. The details included:
      • In nomination process, DEMCO will collect personal informations from national identification cards or official documents those can provide identity verification. This includes, but not limited to, name, gender, ID card number, passport number, photograph, date of birth, nationality, place of birth, and height.
      • For individuals holding board positions, more additional personal informations will be collected, such as compensation details, training participation, activities, marital status, information about spouses, children, parents, siblings, blood group, bank account numbers, email addresses, education background, occupation and working background, board membership or taken positions in other companies or businesses, frequency of participation in board or subcommittee or shares holders meetings, director compensation, information and name of the company which the securities holdings, director performance, and other information as required by law or good governance principles.
   3. Event Participation: When the associate participate in DEMCO events, additional personal data may be collected with the explicit consent.
   4. Special Categories of Personal Data: In specific cases, DEMCO may need to collect and process special categories of personal data, such as health-related information about food allergies or drug allergies information, which may affect specific activities. Clear consent will be obtained, and appropriate security measures will be implemented.
   5. Website Usage: When the associate accesses the Company's website, which uses cookies, DEMCO has a designated policy on cookie usage and publicly notice on the Company's website.
4. Requesting for consent and the possible consequential effect in case of the consent withdrawal
   1. In cases when DEMCO collects, processes, and analyzes the associate personal data for any purposes beyond those stated in sections 2.1, 2.2, and 2.3, DEMCO will seek for consent. However, the associate has the right to withdraw his/her consent at any time. The withdrawal of consent will not affect the collection, usage, disclosure, or processing of the other personal data that he/she has previously consented to.
   2. If the associate withdraw his/her consent given to DEMCO or refuses to provide certain information, it may result in DEMCO being unable to fulfill some or all of the objectives outlined in this privacy policy.
   3. If the associate is under the age of 20, please provide details of his/her legal guardian to DEMCO when giving consent. This is to allow DEMCO to obtain consent from the legal guardian as well.
5. Duration of Personal Data Retention
   1. DEMCO will retain the associate personal data for the necessary period to achieve the objectives based on the types of personal data unless the law allows for a longer retention period. In cases where the specific retention period cannot be determined, data will be kept for a period that is reasonably expected according to standard data collection practices (e.g., a maximum of 10 years as per general legal age limits).
   2. DEMCO has implemented a system to review and delete or destroy personal data when it exceeds the specified retention period or is no longer relevant, or when it goes beyond the necessary requirements for the purposes of data collection as outlined in this policy.
6. Disclosure of Personal Data to Third Parties
   1. DEMCO may disclose, transfer, or share the associate personal data with:
      • DEMCO's business entities as listed in the attached document, and
      • Other individuals and legal entities not involve to DEMCO business group ("Other Parties")

      for the purposes specified in sections 2.1, 2.2, and 2.3, without requiring your explicit consent as legally stipulated. This includes, but is not limited to, government agencies or organizations (such as the Ministry of Commerce, Securities and Exchange Commission, Stock Exchange of Thailand, Securities Depository Company Limited, Ministry of Finance, courts, or individuals involved in legal proceedings), relevant service providers (such as conference management services, financial institutions, insurers and their agents, securities companies, business partners and consultants, professional service providers, and other individuals necessary for disclosure). For disclosure, transfer, or sharing for other purposes, the Company will seek the associate’s consent as detailed in section 4.

   2. DEMCO will ensure that recipients of information under section 6.1 have appropriate data protection measures and process your personal data only to the extent necessary. If the recipient acts as a personal data processor, DEMCO will establish a contract and provide recommendation as required by law.
7. Transfer of Personal Data Abroad
   1. DEMCO may transfer the associate personal data to other companies within the DEMCO business group or other entities outside the country when it is necessary to be a part of international contract which the associate involving in a party, or as part of actions based on contracts between the DEMCO business group and individuals or legal entities for the associate’s benefit or for carrying out the associate requests before entering into a contract, or to prevent or suspend threats to life, body, or health of the associate or that of others, to comply with the laws, or when it is necessary to carry out a mission for an important public interest.
   2. DEMCO may store the associate information on servers or clouds provided by third parties and may use programs or applications of third parties in the form of software service and the form of providing a ready-made platform service to process the associate personal data. However, DEMCO will not allow unrelated third parties to access the associate personal data and will ensure that these parties have adequate security measures in place.
   3. In the case of transferring the associate personal data abroad, DEMCO will conduct complying with the international conditions and terms of data protection laws and take appropriate measures to ensure that the associate personal data is protected and allow you the associate to exercise relevant rights over his/her personal data as required by law. DEMCO will also ensure that recipients of the data have suitable protective measures and process the associate data only to the extent necessary. DEMCO will take actions to prevent unauthorized ones use or disclose the associate personal data as well.
8. Data Privacy and Security Measures
   1. Ensuring that the security of the associate personal data is of utmost importance to DEMCO. We have implemented the appropriate technical, managerial, and physical security standards to safeguard personal information from loss, unauthorized access and usage, prohibited disclosure, improper handling, data pervert, destruction by technology, and security breaches. The measures such as encryption and access restriction limitations are employed to ensure that only authorized individuals have the right accessing to the associate personal data. These authorized personnels undergo training to be emphasized for the most significant importance of protecting personal information.
   2. DEMCO has established appropriate security measures to prevent data loss, unauthorized access, usage, alteration, pervert, or disclosure of personal information by individuals lacking the right or responsibility associated with that personal data. Periodic reviews of these measures are conducted when necessary or when technological advancements warrant better changes to ensure the effectiveness of the security protocols in place.
9. The associate Rights Regarding Personal Data
   1. The associate has the following rights, as mandated by data protection laws:
      • Withdraw his/her consent given to DEMCO for processing his/her personal data.
      • Request access to and copies of his/her personal data, including information on its original.
      • Transmit or transfer personal data electronically to another data controller as per data protection laws.
      • Object to the collection, usage, or disclosure of his/her personal data.
      • Request the deletion or anonymization of his/her personal data.
      • Suspend the usage of his/her personal data.
      • Correct his/her personal data to ensure for accuracy, completeness, and prevent misunderstandings.
      • Complain with the Personal Data Protection Committee if DEMCO or its processors violate data protection laws.
      • DEMCO will promptly consider and notify the associate the results of his/her requests within 30 days of receiving the requirement. The aforementioned rights shall align with data protection laws.
   2. The associate can exercise his/her rights under the law by clicking [here] (effective since June 1, 2022, when data protection laws come into enforce for data controllers).
10. Information about the Data Controller and Data Protection Officers
    1. Data Controller: DEMCO Public Company Limited
    2. Contact Address: 59 Moo 1, Suan Phrik Thai Subdistrict, Mueang Pathum Thani District, Pathum Thani Province, 12000
    3. For inquiries regarding data protection:
       • Email: : DPO@demco.co.th
       • Phone: : 02 9595811

If there are any modifications or updates to this privacy policy, DEMCO will announce the revised version on its website. It is recommended to periodically check for any changes (if any). New changed policy will take effect immediately whenever it is announced.