Cybersecurity and Data Privacy
Goals and Performance Highlights
Goals
Performance
Commitment, Challenge and Opportunity
Supalai Public Company Limited and its subsidiaries (“the Company”) are committed to conducting business transparently and responsibly under the framework of good governance and ESG. The Company recognizes the privacy of customers, employees and suppliers as a fundamental right, and considers cybersecurity to be a core pillar of digital trust. Therefore, the Company has announced and enforced the “Personal Data Protection Policy” together with “Cybersecurity Measures” to ensure that the collection, use, disclosure, and transfer of data comply with legal requirements, are transparent, and remain secured throughout the data lifecycle.
Management and Strategic Approach
The Company recognizes the importance of protecting the personal data of customers, business partners/suppliers, employees, and all stakeholders, and regard this is as one of the principles of good corporate governance to build confidnece and maintain long-term relationships with stakeholders. Operations are conducted under the framework of the Personal Data Protection Act B.E. 2562, as well as relevant international standards, with clear guidelines as follows:
Policy Setting and Operational Framework
- Establish and implement a Personal Data Protection Policy covering the principles of data collection, use, disclosure, and destruction.
- Define the scope of operations in accordance with legal requirements and international standards, with regular reviews and updates.
Management and Governance
- Appoint a Data Protection Officer (DPO) to provide guidance, monitor compliance, and coordinate with regulatory authorities.
- Establish a clear internal governance structure, defining roles and responsibilities of relevant departments.
Data Protection and Security Measures
- Implement security measures across administrative, technical, and physical aspects.
- Manage data access rights based on job responsibilities (Role-based Access Control).
- Monitor and audit data usage to reduce the risk of unauthorized access.
Awareness and Employee Training
- Conduct training for employees at all levels on personal data protection requirements and practices, both during onboarding and through annual refresher courses.
- Develop internal communications materials and operational manuals to foster understanding and correct practices.
Data Subject Rights Management
- Provide processes for data subjects to exercise their rights, including right of access, rectification, deletion, transfer, and objection to the use of data.
- Establish an SLA to respond to requests within 30 days from the date of receipt.
Data Breach Management
- Develop a data breach response plan with an operational team capable of timely action.
- Notify regulatory authorities and data subjects within the legally prescribed timeframe, and implement corrective and preventive measures.
Personal Data Management with Third Parties & Processors
- Execute Data Processing Agreements (DPA) with external service providers handling personal data.
- Regularly assess the readiness and compliance of external data processors.
Data Retention and Destruction
- Retain data only as necessary for the intended purpose and duration required by law or regulations.
- Safely and verifiably destroy or delete data once it is no longer needed.
Monitoring and Evaluation
- Regularly audit and evaluate personal data protection practices, both internally and externally.
- Use evaluation results to continuously update and enhance measures for efficiency and effectiveness.
The Company’s approach to personal data protection reflects its commitment to conducting business with good governance, transparency, and responsibility toward all stakeholders. The Company not only complies with legal requirements but also elevates data protection standards in line with international guidelines to build long-term confidence, security, and trust. Furthermore, these operations contribute to supporting the Sustainable Development Goals (SDGs) by promoting strong, transparent, and accountable institutions, while serving as a key foundation for driving the organization’s sustainable growth in the future.
Stakeholders Directly Impacted
Customers
Positive Impacts
- Legal and reputational risks are reduced through strong data governance.
- Business continuity and cyber resilience improve, creating a positive impact on ESG performance.
Expected Impacts / Risks
- Cybersecurity and PDPA compliance investments and operating costs may increase in the short term.
- In the event of a serious incident, organizational trust and value may be temporarily affected.
Employees
Positive Impacts
- Data are collected, used, and disclosed in accordance with the law, transparently and only as necessary.
- Receive full PDPA rights (access, rectification, deletion, withdrawal of consent, etc.) with clear DSAR channels.
- Risks of data breach or fraud are reduced through security measures.
Expected Impacts / Risks
- Identity verification processes may require additional steps or time in service delivery.
- Rejecting cookies or marketing preferences may reduce the level of personalized experience.
- In the event of a data breach, individuals may experience emotional impact or inconvenience, even if the Company has remediation plans in place.
Suppliers / Retailers
Positive Impacts
- Clear cybersecurity policies and standards help reduce operational risks.
- Employees receive PDPA and data security training, along with guidance on incident response.
- Role-based access control helps reduce individual burden and personal liability.
Expected Impacts / Risks
- Workload may increase due to compliance requirements, record-keeping, and access-rights reviews.
- System usage monitoring measures (as required by law) may be perceived as limiting workplace privacy.
Shareholders / Investors
Positive Impacts
- Clear security requirements and a well-defined DPA help reduce ambiguity in data-related transactions.
- Receiving guidelines on secure system integration and data transfer enhances mutual trust.
Expected Impacts / Risks
- Requires investment to strengthen security measures and undergo regular assessments and audits.
- Liability and contractual penalties may apply in the event of a data breach.
Government Agencies and External Regulators
Positive Impacts
- Clear cooperation and legal compliance strengthen systematic incident reporting and response.
- Supports effective enforcement of the PDPA and cybersecurity regulations.
Expected Impacts / Risks
- If an organization fails to comply, stricter inspections, enforcement actions, and higher resource allocation may be required.
Communities / Society and Media
Positive Impacts
- Higher privacy standards enhance trust in the digital economy.
- Reduces the likelihood of personal data being misused or exploited in cybercrime.
Expected Impacts / Risks
- Large-scale data breaches (if they occur) may impact public confidence in the industry or the broader digital ecosystem.
- Misunderstandings about data use may lead to negative public sentiment if communication is not sufficiently transparent.
