Data Security and Privacy

Importance

In an era where technology plays a role in people’s lives, whether in purchasing goods and services, as well as in communication and conducting business, access to data and data privacy are therefore issues that must be given importance. Due to the current cyber threats, which arise in many different forms and result in damage to both the individual and business operations, businesses should prepare to prevent such disasters.
“Digital Driven Organization” is one of the OR’s commitments by using technology and digital platforms to conduct its business, support the Online to Offline (O2O) services for business flexibility to respond to the consumers and customers in a timely manner. It also is aware of the risks of business operations that might be related to Data Security and Privacy, such as Malware Phishing, which is classified as one of the Cyber Threats that may cause damages to both the business operations and the company’s reputation. Therefore, effective management of data security and privacy is required to meet the expectations of the customer, and to deliver value to all stakeholder groups through quality and safe products and services.

2024 Targets

Management Approach

Data Security and Privacy Policy

OR emphasizes and focuses on managing work in accordance with the Personal Data Protection Act. B.E. 2562 (2019) (PDPA) and secondary laws issued under the Act. Therefore, it has created the Data Privacy Policy of the Company, which includes the Company’s internal structure, policies, and practices related to personal data protection. It applies to all operations of the Company including employees, operators, customers, suppliers, contractors, agents, representatives, directors, executives, as well as other types of personnel of the Company.
OR therefore issues privacy notices and policies, categorized according to the utilization of stakeholder groups into the following 4 groups:

1. Business Partner Privacy Notice
2. Customer Privacy Notice
3. Human Resources Privacy Notice
4. Internal Privacy Policy, which consists of various sub-policies relating to the entire operations within the OR.

For all these privacy notices and policies, OR meticulously plans and designs the privacy notice and policy notification process, ensuring that appropriate consent is obtained for each stakeholder group.
[Learn more about privacy notices and polices for OR’s business partners and customers click: https://pdpa.pttor.com/]

Throughout all these comprehensive privacy notices and policies, OR has demonstrated a commitment to handling sensitive information with diligence, covering both internal and external personal privacy aspects, which include own operations, suppliers, and customers across various businesses. This aims to create security and the privacy of personal information and ensures that the OR collects, uses, and discloses information appropriately, in a way that meets the purpose stated to the personal data owner.
In addition, OR also sets the Information Policy. It is a policy on confidentiality, data retention, and usage of inside information. It also sets the OR Enterprise Data Governance policy to establish management directions and support safe information and communications that align with business needs and comply with relevant laws and regulations for all employees. (An information security/cybersecurity policy is internally available to all employees). This includes a Digital Standards manual for OR, which includes comprehensive content on digital operations such as the Information Security Incident Management, Information Security Aspects of Business Contiguity (BCM), etc.
OR has also created additional policies and processes, such as the Consent Management process, Data Retention Standard, Incident Response Procedure for personal data breach, Data Security Incident Reporting and Response Policy, Record of Processing Activities, and Guidance on Data Protection Officer Representative, etc.

Data Security and Privacy Governance
The governance structure follows the Three Lines Model to facilitate control, oversight, and auditing, with clear segregation of duties. This is carried out by the Enterprise Risk Management Committee (ERMC), which oversees cyber security and information technology strategies. OR has appointed the OR Digital & Data Governance Steering Committee (DGSC), chaired by the Executive Vice President of Corporate Strategy and Sustainability, with the Executive Vice President of Digital Business and Solutions as the vice-chair. The Chief Information Security Officer (CISO) is responsible for overseeing the implementation of information technology and digital operations, ensuring alignment with OR’s policies, directions, and business strategies, as well as those of the OR Group companies.

Data Security and Data Privacy Governance Structure

Level	Committee/Department	Responsibility
Board Level	Enterprise Risk Management Committee	Supervise in Cybersecurity and Information Technology Security Strategy. Follow up on IT Infrastructure Instability and Cyber Security Roadmap performance reports on a quarterly basis.
Executive Level and Management Level	OR Digital & Data Governance Steering Committee (DGSC) OR Management Committee (ORMC)	Set policies, goals and strategies for information technology and digital technology to comply with the business strategic plan of OR and OR Group. Responsible for setting and enforcing information technology policies and operating standards according to the cyber security framework. Supervise and control risk management in information and digital technology to supervise and manage risks. Solve problems related to data management Including issues related to cybersecurity. Report the progress of operations to the Company’s Management Committee (ORMC) for an appropriate period of time, no less than once per 6 months. Follow up on management regarding the personal data violation crisis. and support the work of personal data protection officers.
Operation Level	Data Protection Officer (DPO)	Provide advice on operations in accordance with personal data protection guidelines. Provide operational support and operate in accordance with personal data protection policies and standards. Check and report compliance with personal data protection policies and standards. Continuously improve the data governance processes.

Risk Assessment and Identification
OR specifies the Key Risk Indicator (KRI) on the topic of IT Infrastructure Instability and Cybersecurity. This is for systematic performance monitoring and ensuring that the business has a surveillance and that it monitors risks that may arise from data security and privacy issues.
Records of Processing Activities are maintained by all departments as a database of each department and the organization that are involved in personal data. This facilitates easy tracking and verification to ensure compliance with the intended purposes of data usage and alignment with relevant legal frameworks. The Records of Processing Activities are conducted according to the requirements of the Personal Data Protection Act, B.E. 2562 (2019).

Data Security, Privacy, and Cybersecurity

Committed to conducting business under the concept of Digital Driven Organization, OR is prepared for risks arising from security, data privacy, and cyber threats. OR complies with ISO/IEC 27001:2013 standards and the cyber security framework developed by National Institute of Standards and Technology (NIST). It starts with the installation of Perimeter Protection, such as Firewalls, which act as a traffic filter before entering the organization’s computer systems or internal network. This also includes Data Encryption, converting data to be a secret code that will help keep data safe for the Hardware and Software.
Additionally, there is management and monitoring of Authentication and Authorization controls to restrict data access. Account usernames and passwords are managed separately to enable traceability through logs in the event of a data breach. It also uses Two-Factor Authentication in accessing data that are important. The DLP or Data Loss Prevention Solution is used for monitoring and analyzing sensitive data export out of the organization in accordance with the Data Classification policy. Enterprise-level security done by using international standard Antivirus Software to ensure the security of data for various devices.
OR’s customer security and privacy has a clear policy. This is in line with the Personal Data Protection Act (PDPA). OR sets cookies to store or track information about the use of websites, and to analyze the Trend. Website management will track the website visit of the user to remember the user’s preferences. In this regard, the OR has a tracking record of customer data usage, in accordance with the announced customer privacy policy.
To ensure that the information systems developed or updated have been tested for safety, OR has procedures for Security Testing, and has an external agency test the information security system. This is done by simulating the computer network hacking situation or Third-party Vulnerability Analysis to OR. Penetration Testing is one example. In addition, OR has developed a Disaster Recovery Plan as a guideline for executives and related parties to know their roles, duties, and procedures for operations in the event of a threat to security and data privacy. OR has the Information Security of Business Continuity Management. It will examine the information security continuity measures that have been established and the results of their implementation, which are reviewed for at least twice a year.
Audits for compliance with the OR’s personal data security policy and cybersecurity are done by Internal Auditors as well as third-party audit annually. This is in accordance with the ISO 27001:2013. The results of operations related to data security and privacy, as well as cybersecurity is recorded and analyzed for the possibility of improving the security and data privacy management system, as well as specifying a plan for future business operations
Overall of internal audit conducted in 2024 for personal data protection operations is complied with principles and requirements of the Personal Data Protection Act B.E. 2562 (2019), sub-regulations (notifications), and other relevant announcements. The inspection is categorized into two aspects: legal preparation and personnel and organization’s procedure preparation. The main topics are as follows:

1. Obtaining consent
2. Processing of personal data (Collection, Use, Disclosure of Personal Data)
3. Notification of details and objectives to the data subject
4. Baseline used for data processing
5. Sending or transferring data abroad
6. Data Subject Rights
7. Duties of the data controller
8. Recording of personal data processing activities
9. Duties of data processors / contracts for processing personal data

From the audit, it was found that OR has prepared itself so that the organization, personnel, and related processes can conduct business appropriately in accordance with legal requirements. OR has an annual internal audit plan to ensure that the organization can conduct business in accordance with the aforementioned relevant laws.

Complaint Channel

(GRI 418-1)

OR has a complaint channel in the event of leak of personal information, through the 1365 Contact Center, or through the email dpo@pttor.com The Complaints will be reported to the Data Protection Officer (DPO). The relevant departments will acknowledge the information, and it will be analyzed and prepared to have a plan to correct and remedy the incident appropriately, as stated in the Incident Response Procedure.
In the event that OR discovers a leak of personal information, OR must report the data breaches, as stipulated in the Personal Data Protection, B.E. 2562 (2019). This includes violations that have a high risk of affecting the rights and freedoms of the individual. The remedy guidelines must also be informed without delay and must be notified to the office of the Personal Data Protection Commission.

Performance

Overall performance on data security and privacy management in 2024 shows that OR reported no incidents of customer privacy violations or customer data loss.
In 2024, OR received no complaints regarding customer privacy violations or customer data loss for secondary purposes.

Data Security and Cyber Security Training and Knowledge Sharing

To raise awareness of personal data protection and data security and strengthen knowledge of cybersecurity within the company, OR has organized training programs for employees. These programs include courses on cybersecurity and personal data protection to ensure employees gain a thorough understanding of data protection and are adequately prepared to address cyber threats. These training programs aim to enable OR to transition effectively into a Digital-Driven Organization. The training is delivered through various formats, including PR E-learning modules and onsite sessions, as outlined below:

1. Cyber Security Awareness Training with Test for OR’s Employees
The E-learning training is designed to help employees understand digital service delivery, policies, regulations, practices, and standards related to the company’s information security. This also includes the understanding of laws related to the Computer-related Crime Act, threats, and consequences of misuse and improper use of information systems. Training content includes topics such as Password Security, Phishing E-mail, Malware Protection, Internet Using Security, etc., which are presented in the form of Animation to add interest to the content. Additionally, there is also a Refreshment course, which is a Cyber Security Awareness exam for employees who have been working with the Company for a certain amount of time, in order to review and create awareness of the information security management policy. In 2024, 99.04% of participants passed the test. Furthermore, contractors working for OR are also required to take a Cyber Security Awareness test, with 100% passing the test in 2024.

2024 Cyber Security Awareness Test for OR’s Employee

2. Personal Data Protection Training for Employees
In 2024, the training on personal data protection for employees includes the PDPA for Digital Marketing course in onsite format. This course is designed for employees from departments responsible for handling customer personal data. The objective is to ensure employees understand an appropriate collection and management of personal data in compliance with the Personal Data Protection Act, B.E. 2562 (2019), and to follow appropriate procedures in the event of a personal data breach. The course also includes a workshop where employees can practice creating marketing strategies focused on personal data protection, allowing them to apply the knowledge to their work in accordance with the law. Additionally, there is a training course on the Personal Data Protection Act, focusing on the Record of Processing Activities (ROPA) process, also conducted onsite. This course provides employees responsible for handling personal data with the knowledge required to create a Record of Processing Activities, as mandated by the Personal Data Protection Act (PDPA), B.E. 2562 (2019).